Skip to main content
CVE Vulnerability Database

CVE-2026-5892: Google Chrome RCE Vulnerability

CVE-2026-5892 is a remote code execution vulnerability in Google Chrome affecting PWA policy enforcement. Attackers with compromised renderer access can install PWAs without consent. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2026-5892 Overview

CVE-2026-5892 is an insufficient policy enforcement vulnerability in the Progressive Web App (PWA) component of Google Chrome prior to version 147.0.7727.55. The flaw allows a remote attacker who has already compromised the renderer process to install a PWA without user consent through a crafted HTML page. Google classifies the Chromium security severity as Medium. The issue is tracked under CWE-1268 — policy privileges are not assigned consistently between control spheres. It affects Chrome installations on Windows, macOS, and Linux.

Critical Impact

An attacker who has already compromised the Chrome renderer process can silently install a PWA, establishing a persistent foothold on the user's system without prompting for consent.

Affected Products

  • Google Chrome versions prior to 147.0.7727.55
  • Chrome on Microsoft Windows, Apple macOS, and Linux desktop platforms
  • Chromium-based browsers sharing the affected PWA installation code path

Discovery Timeline

  • 2026-04-08 - CVE-2026-5892 published to the National Vulnerability Database
  • 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-5892

Vulnerability Analysis

The vulnerability resides in the policy enforcement layer governing PWA installation flows in Chrome. PWAs are web applications that, once installed, gain elevated capabilities such as desktop shortcuts, isolated storage, and persistent background execution. Chrome normally requires explicit user interaction before installing a PWA. The defective policy check fails to consistently validate that consent originated from a legitimate user gesture in the browser UI rather than from a renderer-controlled code path.

A compromised renderer can therefore invoke the installation pathway and bypass the consent prompt. The result is silent installation of attacker-defined web application content, enabling persistence and broader privilege within the browser sandbox boundary.

Root Cause

The root cause is inconsistent assignment of policy privileges between control spheres, mapped to CWE-1268. The trusted browser process did not adequately distinguish installation requests originating from genuine user gestures versus those forged by a compromised renderer. This separation-of-duties failure breaks the security model that treats the renderer as untrusted.

Attack Vector

Exploitation requires the attacker to first compromise the renderer process, typically by chaining a prior memory corruption or logic flaw triggered through a crafted HTML page. User interaction with malicious content is required. Once the renderer is under attacker control, the crafted page invokes the PWA installation flow, which the browser process accepts without the standard consent gate. The installed PWA can then operate as a persistence mechanism, host phishing surfaces using legitimate origin framing, or relaunch attacker code on subsequent sessions.

No public proof-of-concept or exploit code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.032% as of 2026-05-14.

Detection Methods for CVE-2026-5892

Indicators of Compromise

  • Unexpected PWA entries in the Chrome profile directory under Web Applications subfolders on Windows, macOS, or Linux.
  • New desktop or Start Menu shortcuts pointing to chrome_proxy.exe --app-id= followed by an unrecognized application ID.
  • Outbound connections from Chrome subprocesses to domains that do not match user browsing history.
  • Modifications to the Preferences file within the Chrome user data directory referencing unfamiliar web_app_ids.

Detection Strategies

  • Monitor creation of new application shortcuts and registry entries (HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall) that reference Chrome PWA installation paths.
  • Hunt for Chrome renderer processes spawning unusual child processes or writing to PWA manifest locations outside normal user activity windows.
  • Inspect the Web Applications directory under each Chrome profile and compare against a baseline of approved installations.

Monitoring Recommendations

  • Centralize Chrome version telemetry across the fleet to identify endpoints still running builds prior to 147.0.7727.55.
  • Log and alert on file writes to PWA manifest paths and Start Menu shortcut directories outside software deployment windows.
  • Correlate browser process anomalies with subsequent persistence artifacts using EDR storyline or process-tree data.

How to Mitigate CVE-2026-5892

Immediate Actions Required

  • Update Google Chrome to version 147.0.7727.55 or later on all Windows, macOS, and Linux endpoints.
  • Force a browser restart after the update to ensure the patched binaries are loaded into memory.
  • Audit installed PWAs across managed endpoints and remove any unrecognized entries.

Patch Information

Google addressed the issue in the Chrome stable channel release 147.0.7727.55. See the Google Chrome Update Blog for the full advisory and the Chromium Issue Report #487568011 for tracking details. Enterprise administrators should distribute the patched MSI, PKG, or DEB/RPM packages through their standard software management tooling.

Workarounds

  • Disable PWA installation enterprise-wide using the WebAppInstallForceList and DefaultWebAppInstallScope policies, or set WebAppInstallScopeDeny to block installation origins.
  • Restrict execution of Chrome PWAs by application allowlisting controls until patching completes.
  • Educate users to avoid opening untrusted HTML attachments and links that could deliver the prerequisite renderer compromise.
bash
# Configuration example: Windows Group Policy registry keys to block PWA installation
reg add "HKLM\Software\Policies\Google\Chrome" /v WebAppInstallForceList /t REG_SZ /d "[]" /f
reg add "HKLM\Software\Policies\Google\Chrome" /v DefaultWebAppInstallScope /t REG_DWORD /d 2 /f

# Verify installed Chrome version meets the patched baseline
"C:\Program Files\Google\Chrome\Application\chrome.exe" --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.