CVE-2026-7958 Overview
CVE-2026-7958 is a Universal Cross-Site Scripting (UXSS) vulnerability in the ServiceWorker component of Google Chrome versions prior to 148.0.7778.96. The flaw stems from an inappropriate implementation that allows an attacker who convinces a user to install a malicious extension to inject arbitrary scripts or HTML into web pages. Google classifies the Chromium security severity as Medium. The vulnerability is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation and affects Chrome on Windows, macOS, and Linux.
Critical Impact
A crafted Chrome Extension can leverage the ServiceWorker flaw to inject arbitrary scripts or HTML into arbitrary origins, breaking the same-origin policy and exposing user session data across sites.
Affected Products
- Google Chrome versions prior to 148.0.7778.96
- Chrome on Microsoft Windows, Apple macOS, and Linux
- Chromium-based browsers sharing the affected ServiceWorker implementation
Discovery Timeline
- 2026-05-06 - CVE-2026-7958 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-7958
Vulnerability Analysis
The vulnerability resides in Chrome's ServiceWorker implementation, the background script worker that intercepts and handles network requests for web origins. An inappropriate implementation in this component permits a malicious Chrome Extension to bypass intended origin boundaries. The result is Universal Cross-Site Scripting, where attacker-controlled JavaScript or HTML executes within the context of arbitrary web origins. Successful exploitation requires user interaction: the victim must install a malicious extension from an untrusted source. Once installed, the extension can manipulate ServiceWorker behavior to inject content into pages the user visits.
Root Cause
ServiceWorkers operate at a privileged layer between the browser and the network, with the ability to intercept fetch events and respond with arbitrary content. The defect allows a crafted extension to influence ServiceWorker script handling so that injected scripts run under the origin of pages the user navigates to, rather than being confined to the extension's own context. This breaks the security boundary that normally isolates extension-supplied content from page origins.
Attack Vector
Exploitation requires the attacker to distribute a malicious Chrome Extension and convince a user to install it through social engineering, sideloading, or a compromised extension marketplace listing. Once installed, the extension uses the ServiceWorker pathway to inject scripts into pages the victim visits. The attacker can then steal authentication cookies, hijack sessions, exfiltrate form data, or perform actions on behalf of the user. Because the injection occurs in the context of legitimate origins, traditional Content Security Policy controls on those sites may not block the activity.
No verified public proof-of-concept code is available. Refer to the Chromium Issue Tracker entry and the Google Chrome Update Announcement for vendor technical details.
Detection Methods for CVE-2026-7958
Indicators of Compromise
- Installation of unverified or sideloaded Chrome Extensions, particularly those requesting broad host permissions or webRequest and scripting access
- Unexpected ServiceWorker registrations originating from extension contexts in chrome://serviceworker-internals
- Outbound connections from browser processes to attacker-controlled domains following extension installation
Detection Strategies
- Inventory installed Chrome Extensions across managed endpoints and compare against an approved allowlist
- Monitor extension manifests for elevated permissions such as <all_urls>, tabs, and webRequest that enable cross-origin script injection
- Inspect browser telemetry for anomalous script execution patterns or unexpected DOM modifications on sensitive sites
Monitoring Recommendations
- Enforce enterprise extension management through Chrome policies (ExtensionInstallAllowlist, ExtensionInstallBlocklist)
- Log Chrome version data from endpoints and alert on instances running below 148.0.7778.96
- Forward browser and endpoint telemetry to a centralized analytics platform for correlation of extension installs with suspicious web activity
How to Mitigate CVE-2026-7958
Immediate Actions Required
- Update Google Chrome to version 148.0.7778.96 or later on all Windows, macOS, and Linux endpoints
- Audit all installed Chrome Extensions and remove any that are unsanctioned, unsigned, or sideloaded
- Restrict extension installation to the Chrome Web Store and an approved internal allowlist via enterprise policy
Patch Information
Google released the fix in the Chrome Stable channel update referenced in the Google Chrome Update Announcement. Administrators should deploy Chrome 148.0.7778.96 or later. Chromium-based browsers that integrate the upstream fix should also be updated as their respective vendors publish patched builds.
Workarounds
- Block end-user extension installation using ExtensionInstallBlocklist set to * and explicitly allowlist required extensions
- Educate users on the risks of installing extensions from outside the Chrome Web Store and from unverified publishers
- Disable Developer Mode in Chrome to prevent loading of unpacked extensions on managed devices
# Configuration example: Chrome enterprise policy to block all extensions except an approved allowlist
# Linux: /etc/opt/chrome/policies/managed/extensions.json
{
"ExtensionInstallBlocklist": ["*"],
"ExtensionInstallAllowlist": [
"approved_extension_id_1",
"approved_extension_id_2"
],
"ExtensionInstallSources": [
"https://clients2.google.com/service/update2/crx"
],
"DeveloperToolsAvailability": 2
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
