CVE-2026-7995 Overview
CVE-2026-7995 is an out-of-bounds read vulnerability in the AdFilter component of Google Chrome prior to version 148.0.7778.96. A remote attacker can exploit this flaw by serving a crafted HTML page to a targeted user. Successful exploitation allows arbitrary code execution within the Chrome sandbox. The vulnerability is classified under CWE-125: Out-of-bounds Read. Chromium engineers rated the underlying issue Medium severity, while NVD scoring places it in the High range due to the impact on confidentiality, integrity, and availability.
Critical Impact
A crafted web page can trigger code execution inside the Chrome renderer sandbox, providing attackers with a foothold for further exploitation when chained with a sandbox escape.
Affected Products
- Google Chrome versions prior to 148.0.7778.96 on Windows
- Google Chrome versions prior to 148.0.7778.96 on macOS
- Google Chrome versions prior to 148.0.7778.96 on Linux
Discovery Timeline
- 2026-05-06 - CVE CVE-2026-7995 published to NVD
- 2026-05-06 - Last updated in NVD database
- Patch availability - Documented in the Google Chrome Update Announcement
Technical Details for CVE-2026-7995
Vulnerability Analysis
The flaw resides in Chrome's AdFilter subsystem, which processes ad-blocking and content filtering rules against page resources. An out-of-bounds read occurs when the component reads memory outside the bounds of an allocated buffer during parsing or rule evaluation. Attackers craft HTML content that drives AdFilter into the vulnerable code path. The read primitive can be combined with heap shaping to influence control flow and achieve arbitrary code execution within the renderer process.
Execution remains constrained by the Chrome sandbox. Adversaries typically pair this class of bug with a separate sandbox escape to compromise the host. The attack requires user interaction, since the victim must load attacker-controlled content in the browser.
Root Cause
The defect is a missing or insufficient bounds check on a buffer accessed by AdFilter while processing untrusted page input. The Chromium issue tracker entry at Chromium Issue 501745798 tracks the underlying defect. Out-of-bounds reads in browser components frequently stem from incorrect length calculations, integer truncation, or assumptions about input that attacker-controlled HTML can violate.
Attack Vector
Exploitation is network-based and requires user interaction. An attacker hosts a crafted HTML page or injects malicious content into a site the victim visits. When Chrome loads the page, AdFilter processes the malicious input and triggers the out-of-bounds read. No authentication is required, and the attack can be delivered through phishing links, malvertising, or compromised legitimate sites.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-7995
Indicators of Compromise
- Chrome renderer process crashes referencing the AdFilter component in crash dumps or chrome://crashes reports
- Browser telemetry indicating unexpected child process spawns following navigation to untrusted pages
- Outbound connections from the Chrome renderer process to suspicious domains shortly after page load
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag any builds older than 148.0.7778.96
- Inspect web proxy and DNS logs for users visiting newly registered domains hosting unfamiliar HTML or ad-related payloads
- Correlate endpoint process telemetry with browser crash events to identify potential exploitation attempts
Monitoring Recommendations
- Track Chrome version compliance through endpoint management tooling and surface drift in dashboards
- Monitor for unusual child processes parented by chrome.exe or Google Chrome Helper, particularly shell or scripting binaries
- Alert on renderer process crashes that recur on the same host or user, which may indicate exploitation attempts
How to Mitigate CVE-2026-7995
Immediate Actions Required
- Update Google Chrome to version 148.0.7778.96 or later on all Windows, macOS, and Linux endpoints
- Force-restart Chrome after deployment to ensure the patched binary is loaded into memory
- Validate update rollout through enterprise management consoles and remediate hosts that fail to apply the patch
Patch Information
Google released the fix in the stable channel update documented in the Google Chrome Update Announcement. Administrators managing Chrome through Google Admin Console, Microsoft Intune, or similar tools should confirm that auto-update policies are enabled and that the minimum version policy enforces 148.0.7778.96.
Workarounds
- Restrict browsing to trusted sites through enterprise URL filtering until patches are deployed
- Deploy script and ad-blocking policies that reduce exposure to malvertising delivery channels
- Enable Chrome Enterprise policies that enforce Site Isolation and disable legacy components where feasible
# Verify installed Chrome version on Linux endpoints
google-chrome --version
# Enforce minimum Chrome version via Group Policy on Windows
# Registry path: HKLM\Software\Policies\Google\Chrome
# Value name: TargetVersionPrefix
# Value data: 148.0.7778.96
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
