CVE-2026-7986 Overview
CVE-2026-7986 is an insufficient policy enforcement vulnerability in the Autofill component of Google Chrome prior to version 148.0.7778.96. A remote attacker can leak cross-origin data by serving a crafted HTML page to a victim. The flaw is categorized under [CWE-346] (Origin Validation Error) and requires user interaction to exploit. Google has rated the Chromium security severity as Medium. The vulnerability affects Chrome on Windows, macOS, and Linux desktop platforms. Successful exploitation results in unauthorized disclosure of data that should be isolated by the same-origin policy.
Critical Impact
A crafted HTML page can bypass Autofill origin checks, enabling remote attackers to leak cross-origin data from authenticated browser sessions.
Affected Products
- Google Chrome versions prior to 148.0.7778.96
- Chrome desktop on Microsoft Windows, Apple macOS, and Linux
- Chromium-based browsers that inherit the affected Autofill code
Discovery Timeline
- 2026-05-06 - CVE-2026-7986 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-7986
Vulnerability Analysis
The vulnerability resides in the Autofill subsystem of Google Chrome. Autofill stores form data such as addresses, payment details, and credentials, then suggests entries when users interact with form fields. The component must enforce origin boundaries so that data captured from one site cannot be exposed to another. Insufficient policy enforcement breaks this isolation. An attacker hosting a crafted HTML page can manipulate Autofill behavior to disclose information tied to a different origin. The attack requires the victim to interact with the malicious page, consistent with the User Interaction Required attribute in the CVSS vector. The impact is limited to confidentiality, with no integrity or availability consequences reported.
Root Cause
The root cause is improper origin validation [CWE-346] within Chrome Autofill prior to 148.0.7778.96. The component does not adequately verify the origin context when processing certain Autofill operations triggered from a page. As a result, content controlled by an attacker origin can observe or influence data associated with a different origin, violating the same-origin policy enforced elsewhere in the browser.
Attack Vector
Exploitation is performed remotely over the network. An attacker hosts a crafted HTML page containing form elements and scripts designed to manipulate Autofill suggestions or submission behavior. When a victim visits the page and interacts with it, the malicious content elicits Autofill responses that reveal cross-origin data. No privileges are required, and the attack can be delivered through standard web vectors such as phishing links, malvertising, or compromised sites. Public proof-of-concept code is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploitation code is publicly available. Refer to the Chromium Issue Tracker Entry for technical details once access restrictions are lifted.
Detection Methods for CVE-2026-7986
Indicators of Compromise
- Browser telemetry showing Chrome desktop versions earlier than 148.0.7778.96 in active use
- Outbound connections from user endpoints to newly registered or low-reputation domains hosting form-heavy HTML pages
- Unexpected Autofill prompts or form submissions in browser logs that do not correspond to user-initiated navigation
Detection Strategies
- Inventory installed Chrome versions across managed endpoints and flag any build below 148.0.7778.96
- Inspect web proxy and DNS logs for users visiting suspicious pages immediately followed by Autofill-related form POSTs to third-party origins
- Correlate browser process activity with network requests to identify cross-origin form submissions inconsistent with the visited site
Monitoring Recommendations
- Enable enterprise reporting via Chrome Browser Cloud Management to track browser version compliance
- Forward browser and endpoint telemetry to a centralized analytics platform for version drift and anomalous form submission detection
- Monitor user reports of unexpected Autofill suggestions, which can indicate exposure to a crafted page
How to Mitigate CVE-2026-7986
Immediate Actions Required
- Update Google Chrome to version 148.0.7778.96 or later on all Windows, macOS, and Linux endpoints
- Force browser relaunch through endpoint management to ensure the patched binary is loaded
- Audit Chromium-derived browsers (Edge, Brave, Opera, Vivaldi) and apply vendor updates that incorporate the upstream fix
Patch Information
Google addressed CVE-2026-7986 in the Chrome Stable channel update referenced in the Google Chrome Update Notice. Administrators should deploy 148.0.7778.96 or newer. Additional context is available in the Chromium Issue Tracker Entry.
Workarounds
- Disable Autofill for addresses, payment methods, and passwords through enterprise policy until patching is complete
- Restrict navigation to untrusted sites using web filtering or browser isolation for high-risk user groups
- Educate users to avoid interacting with forms on unfamiliar pages, since exploitation requires user interaction
# Configuration example: disable Autofill via Chrome enterprise policy
# Windows registry (HKLM)
reg add "HKLM\Software\Policies\Google\Chrome" /v AutofillAddressEnabled /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Google\Chrome" /v AutofillCreditCardEnabled /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Google\Chrome" /v PasswordManagerEnabled /t REG_DWORD /d 0 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
