CVE-2026-7961 Overview
CVE-2026-7961 is an input validation vulnerability in the Permissions component of Google Chrome prior to version 148.0.7778.96. The flaw allows an attacker positioned on the same local network segment as the victim to leak cross-origin data by sending crafted network traffic. Google classifies the Chromium security severity as Medium. The issue is tracked under CWE-20: Improper Input Validation and affects Chrome on Windows, macOS, and Linux.
Critical Impact
An adjacent-network attacker can bypass same-origin protections in Chrome's Permissions handling to read data belonging to other web origins, breaking a core browser security boundary.
Affected Products
- Google Chrome prior to 148.0.7778.96 on Microsoft Windows
- Google Chrome prior to 148.0.7778.96 on Apple macOS
- Google Chrome prior to 148.0.7778.96 on Linux
Discovery Timeline
- 2026-05-06 - CVE-2026-7961 published to NVD
- 2026-05-07 - Last updated in NVD database
- May 2026 - Google releases Stable Channel Update for Desktop addressing the issue
Technical Details for CVE-2026-7961
Vulnerability Analysis
The vulnerability resides in Chrome's Permissions subsystem, which mediates how web origins request and obtain capabilities such as geolocation, notifications, camera, and microphone access. Insufficient validation of untrusted input from the local network allows an attacker to influence permission state or related responses in ways that expose data scoped to other origins.
Because the attack vector is Adjacent Network, exploitation requires the attacker to share a logical network segment with the victim, such as a corporate LAN, a guest Wi-Fi, or a shared coffee-shop network. No user interaction or authentication is required. The confidentiality impact is limited to information disclosure; integrity and availability are not affected.
Further technical context is tracked in Chromium Issue Tracker #497008295.
Root Cause
The defect is an [CWE-20] improper input validation issue in the Permissions component. Chrome accepts data sourced from network responses without sufficient checks before using it in cross-origin permission decisions. Untrusted bytes flow into a code path that should only operate on validated, origin-scoped input.
Attack Vector
An attacker on the same local network segment crafts malicious network traffic that Chrome consumes through the Permissions flow. The malformed input causes Chrome to disclose data tied to a different origin than the attacker controls. Typical scenarios include rogue devices on shared Wi-Fi, compromised local services, and machine-in-the-middle positions on unencrypted protocols.
No verified public proof-of-concept exists for CVE-2026-7961. See the Chromium Issue Tracker entry for additional technical details.
Detection Methods for CVE-2026-7961
Indicators of Compromise
- Chrome browser processes running with version strings earlier than 148.0.7778.96 on Windows, macOS, or Linux endpoints.
- Unexpected outbound or intra-LAN traffic from Chrome to non-routable addresses, particularly to local services that the user did not knowingly access.
- Anomalous permission prompt activity or permission state changes recorded in Chrome enterprise telemetry.
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag any build older than 148.0.7778.96 for remediation.
- Monitor for adjacent-network reconnaissance patterns such as ARP sweeps, mDNS abuse, and unsolicited LAN HTTP responses targeting browser clients.
- Correlate browser process telemetry with network egress to identify Chrome instances communicating with unusual local hosts during web sessions.
Monitoring Recommendations
- Enable Chrome Enterprise reporting and forward browser version, extension, and policy telemetry to a centralized analytics platform.
- Track DHCP and ARP tables on user network segments to identify unauthorized devices that could stage adjacent-network attacks.
- Alert on Chrome update failures so endpoints stuck on vulnerable builds are surfaced quickly.
How to Mitigate CVE-2026-7961
Immediate Actions Required
- Update Google Chrome to version 148.0.7778.96 or later on all Windows, macOS, and Linux endpoints.
- Verify auto-update is enabled and that managed devices have applied the patch by checking chrome://settings/help or enterprise reporting.
- Restart Chrome on every endpoint after the update so the new binary is loaded into memory.
Patch Information
Google addressed CVE-2026-7961 in Chrome 148.0.7778.96 through the Stable Channel desktop release. Distribution and version notes are published in the Stable Channel Update for Desktop. Chromium-based browsers that consume upstream fixes (Edge, Brave, Opera, Vivaldi) should be updated to the corresponding vendor release that incorporates this patch.
Workarounds
- Restrict use of untrusted shared networks; require employees to use VPN or trusted segments when browsing sensitive sites.
- Apply the Chrome enterprise policy TargetVersionPrefix to force minimum version 148.0.7778.96 across managed devices.
- Segment guest and IoT networks away from corporate user VLANs to reduce exposure to adjacent-network attackers.
# Verify installed Chrome version on Linux/macOS
google-chrome --version
# Windows (PowerShell) - check installed Chrome version
(Get-Item "$Env:ProgramFiles\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion
# Confirm version is >= 148.0.7778.96 before considering the host remediated
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
