CVE-2026-7945 Overview
CVE-2026-7945 is an input validation vulnerability in the Cross-Origin-Opener-Policy (COOP) implementation of Google Chrome before version 148.0.7778.96. The flaw allows a remote attacker who has already compromised the renderer process to bypass site isolation through a crafted HTML page. Site isolation is a core Chromium security boundary that separates documents from different origins into distinct processes. Bypassing this boundary weakens the defense-in-depth model that protects users from cross-origin data theft. The issue is tracked under [CWE-20: Improper Input Validation] and affects Chrome on Windows, macOS, and Linux.
Critical Impact
An attacker with renderer-process control can escape site isolation boundaries through a malicious HTML page, undermining cross-origin protections in the browser.
Affected Products
- Google Chrome prior to 148.0.7778.96
- Chromium-based browsers on Microsoft Windows
- Chromium-based browsers on Apple macOS and Linux
Discovery Timeline
- 2026-05-06 - CVE CVE-2026-7945 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-7945
Vulnerability Analysis
The vulnerability resides in Chrome's handling of Cross-Origin-Opener-Policy headers and related browsing-context state. COOP is designed to ensure that a top-level document does not share a browsing context group with cross-origin documents. Chrome enforces this separation as part of site isolation, placing documents from different origins in distinct renderer processes. Insufficient validation of untrusted input passed through COOP-related code paths permits an attacker to confuse the browser about origin boundaries. As a result, a renderer that an attacker already controls can interact with content it should not be able to reach. The Chromium project rated the underlying issue as Medium severity, while the assigned CVSS score reflects the high attack complexity and the prerequisite of a compromised renderer.
Root Cause
The root cause is improper validation of attacker-influenced input flowing through the COOP enforcement logic. Chrome trusts state derived from the renderer when making site-isolation decisions tied to opener relationships. A malicious renderer can supply crafted values that the browser process fails to reject, leading the browser to treat cross-origin content as if it satisfies COOP constraints.
Attack Vector
Exploitation requires two stages. First, the attacker must compromise the renderer process, typically by chaining a separate memory-corruption or logic bug delivered through a malicious page. Second, the attacker serves a crafted HTML page that abuses the COOP validation gap to escape the site-isolation boundary. User interaction is required, and attack complexity is high. The vulnerability does not directly yield code execution outside the renderer, but it weakens an important boundary that exploit chains rely on. Technical specifics are referenced in Chromium Issue Tracker #495802788.
Detection Methods for CVE-2026-7945
Indicators of Compromise
- Chrome browser processes running versions earlier than 148.0.7778.96 after the patch release window.
- Renderer processes spawning unexpected child processes or accessing cross-origin resources inconsistent with the loaded origin.
- Outbound connections to attacker-controlled domains immediately preceded by visits to unfamiliar HTML pages.
Detection Strategies
- Inventory installed Chrome versions across managed endpoints and flag any build below 148.0.7778.96.
- Monitor browser telemetry for crashes, renderer terminations, or sandbox violations that often accompany renderer-compromise exploit chains.
- Correlate web proxy logs with endpoint activity to identify users navigating to suspicious pages followed by anomalous browser behavior.
Monitoring Recommendations
- Centralize browser version and patch-state telemetry into a SIEM or data lake for continuous compliance reporting.
- Track Chromium security advisories from the Google Chrome Stable Update channel and pipe them into vulnerability management workflows.
- Alert on endpoints that disable site isolation or COOP enforcement through enterprise policy overrides.
How to Mitigate CVE-2026-7945
Immediate Actions Required
- Update Google Chrome to version 148.0.7778.96 or later on all Windows, macOS, and Linux endpoints.
- Restart browsers after deployment to ensure the patched binary is active in memory.
- Verify that enterprise policies do not disable site isolation (SitePerProcess) or weaken COOP enforcement.
Patch Information
Google addressed the issue in the Stable channel release announced in the Google Chrome Stable Update. Administrators should deploy Chrome 148.0.7778.96 or any later Stable build through their managed update mechanism. Chromium-derived browsers should pick up the corresponding upstream fix referenced in Chromium Issue Tracker #495802788.
Workarounds
- Restrict browsing to trusted sites using URL allow-lists where business requirements permit.
- Enforce strict Content Security Policy and COOP/COEP headers on internally hosted applications to limit cross-origin interaction.
- Deploy browser isolation or remote browsing solutions for high-risk user populations until patching completes.
# Verify Chrome version on Windows endpoints
reg query "HKLM\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv
# Verify Chrome version on macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
# Verify Chrome version on Linux
google-chrome --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
