CVE-2026-7351 Overview
CVE-2026-7351 is a race condition vulnerability in the MHTML component of Google Chrome prior to version 147.0.7727.138. The vulnerability allows an attacker who convinces a user to install a malicious browser extension to leak cross-origin data through carefully crafted extension code. This vulnerability exploits a race condition (CWE-362) in Chrome's MHTML handling mechanism, potentially compromising the same-origin policy that browsers rely on to isolate web content.
Critical Impact
Malicious browser extensions can exploit this race condition to access sensitive cross-origin data, potentially exposing user information from other websites and bypassing browser security boundaries.
Affected Products
- Google Chrome versions prior to 147.0.7727.138
- Chromium-based browsers using affected MHTML components
- Desktop platforms running vulnerable Chrome versions
Discovery Timeline
- 2026-04-28 - CVE CVE-2026-7351 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-7351
Vulnerability Analysis
This vulnerability is classified as a race condition (CWE-362) within Google Chrome's MHTML processing component. MHTML (MIME HTML) is a web page archive format that encapsulates HTML content along with its resources into a single file. The race condition exists in how Chrome handles concurrent access to MHTML resources during extension operations.
The vulnerability requires user interaction in the form of installing a malicious extension, which significantly limits the attack surface. However, once a malicious extension is installed, it can exploit the timing window in MHTML processing to leak data from cross-origin sources that should normally be protected by the browser's same-origin policy.
Root Cause
The root cause is a Time-of-Check Time-of-Use (TOCTOU) style race condition in Chrome's MHTML handling code. When an extension interacts with MHTML content, there exists a timing window where the security checks and the actual data access are not atomic. A malicious extension can exploit this race window to access MHTML data from origins it should not have permission to read.
The vulnerability specifically affects the synchronization between security validation and data retrieval operations in the MHTML component, allowing an attacker to win the race and bypass cross-origin restrictions.
Attack Vector
The attack requires multiple conditions to be successful:
- The victim must be convinced to install a malicious Chrome extension
- The extension must contain crafted code designed to trigger the race condition
- The victim must navigate to or interact with MHTML content while the extension is active
- The attacker's code must successfully win the race to access cross-origin data
The network-based attack vector combined with the requirement for user interaction (installing the extension) and high attack complexity (winning the race condition) reflects the practical difficulty of exploitation. The vulnerability manifests during MHTML resource loading and extension API interactions. See the Chromium Issue Tracker Entry for additional technical details.
Detection Methods for CVE-2026-7351
Indicators of Compromise
- Unusual Chrome extension activity involving MHTML file access patterns
- Extensions requesting permissions related to web page content and cross-origin data
- Unexpected outbound network traffic from browser processes following MHTML file access
- Browser extension logs showing rapid, repeated MHTML resource access attempts
Detection Strategies
- Monitor for newly installed Chrome extensions, especially those from untrusted sources
- Implement browser extension whitelisting policies in enterprise environments
- Review extension permissions for overly broad access to web content
- Deploy endpoint detection solutions that can identify suspicious extension behaviors
Monitoring Recommendations
- Enable Chrome Enterprise policies to restrict extension installation sources
- Configure security tools to alert on extensions accessing MHTML content in unusual patterns
- Monitor browser process behavior for signs of data exfiltration attempts
- Review browser extension audit logs for unexpected cross-origin data access patterns
How to Mitigate CVE-2026-7351
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.138 or later immediately
- Audit installed Chrome extensions and remove any untrusted or unnecessary extensions
- Implement browser extension management policies restricting installation to approved sources only
- Educate users about the risks of installing browser extensions from unknown developers
Patch Information
Google has addressed this vulnerability in Chrome version 147.0.7727.138. The fix addresses the race condition in the MHTML component by implementing proper synchronization mechanisms. Organizations should update all Chrome installations to the patched version.
For detailed patch information, refer to the Google Chrome Stable Update announcement.
Workarounds
- Restrict Chrome extension installation to enterprise-approved extensions only using Chrome Enterprise policies
- Disable or remove all non-essential browser extensions until patching is complete
- Consider blocking MHTML file handling if not required for business operations
- Implement network monitoring to detect potential data exfiltration attempts from browser processes
# Chrome Enterprise policy to restrict extension installation
# Add to Chrome Enterprise policies (Windows Registry example)
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
# ExtensionInstallBlocklist = "*"
# ExtensionInstallAllowlist = [list of approved extension IDs]
# Linux/macOS managed preferences example
# /etc/opt/chrome/policies/managed/extension_policy.json
{
"ExtensionInstallBlocklist": ["*"],
"ExtensionInstallAllowlist": ["approved-extension-id-1", "approved-extension-id-2"]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
