CVE-2026-7997 Overview
CVE-2026-7997 is a local privilege escalation vulnerability in the Google Chrome Updater component on macOS. The flaw stems from insufficient validation of untrusted input [CWE-20] in the Updater on versions prior to 148.0.7778.96. A local attacker can plant a malicious file to escalate to OS-level privileges. Google Chrome runs an elevated updater service on macOS, which makes input validation gaps in this component a viable path to root-level code execution. Chromium rates the security severity as Low, while the assigned CVSS 3.1 base score is 7.8.
Critical Impact
A local attacker who places a malicious file in a path consumed by the Chrome Updater can achieve OS-level privilege escalation on macOS, gaining high impact to confidentiality, integrity, and availability.
Affected Products
- Google Chrome on macOS prior to 148.0.7778.96
- Apple macOS hosts running affected Chrome builds
- Chrome Updater service component
Discovery Timeline
- 2026-05-06 - CVE-2026-7997 published to NVD
- 2026-05-06 - Last updated in NVD database
- 2026-05 - Google releases stable channel update for desktop addressing the issue
Technical Details for CVE-2026-7997
Vulnerability Analysis
The vulnerability resides in the Chrome Updater on macOS, the privileged component responsible for keeping the browser current. The Updater accepts input from local sources without sufficient validation. An attacker with local access can stage a malicious file that the Updater consumes during its workflow. Because the Updater runs with elevated privileges on macOS, processing of the attacker-controlled input results in operations executing in a higher privilege context than the user. The outcome is OS-level privilege escalation, with full impact to confidentiality, integrity, and availability of the host.
Root Cause
The root cause is improper input validation [CWE-20] in the Chrome Updater. The component does not adequately verify the integrity, origin, or contents of files it processes during update operations. This trust gap allows attacker-supplied data to influence privileged execution paths.
Attack Vector
Exploitation requires local access to the macOS host and user interaction, per the CVSS vector. The attacker drops a crafted file in a location the Updater reads, then triggers or waits for the Updater workflow. No prior privileges are required. The attack does not traverse the network and is constrained to scenarios where a low-privileged user can stage files on disk.
No public proof-of-concept code is available. Technical specifics are tracked in Chromium Issue Tracker #487960705.
Detection Methods for CVE-2026-7997
Indicators of Compromise
- Unexpected files written to directories consumed by the Chrome Updater (GoogleSoftwareUpdate, Keystone, or GoogleUpdater paths under /Library/ and ~/Library/Application Support/).
- Child processes spawned by the privileged Chrome Updater that do not match Google-signed binaries.
- Modification of Updater configuration plists or launch agents/daemons by non-administrative users.
Detection Strategies
- Monitor file creation and modification events under Chrome Updater directories by non-Google processes.
- Alert on privilege transitions where a user-context process triggers root-level execution through the Updater service.
- Compare loaded executables and scripts against Google's expected code-signing identity for the Updater.
Monitoring Recommendations
- Collect macOS Endpoint Security Framework telemetry for exec, open, and rename events targeting Updater paths.
- Track installed Chrome versions across the fleet and flag hosts running below 148.0.7778.96.
- Review system.log and Updater logs for anomalous invocation patterns or repeated update failures.
How to Mitigate CVE-2026-7997
Immediate Actions Required
- Update Google Chrome on all macOS endpoints to version 148.0.7778.96 or later.
- Verify that the Chrome auto-update mechanism is functional and not blocked by local policy.
- Audit macOS hosts for unauthorized files in Chrome Updater directories before patching.
Patch Information
Google addressed the vulnerability in the Chrome stable channel update for desktop. Upgrade to Chrome 148.0.7778.96 or later on macOS. Refer to the Google Chrome Update Post for release details and the Chromium Issue Tracker #487960705 for component context.
Workarounds
- Restrict local interactive access on macOS endpoints to trusted users until patches are deployed.
- Apply file system permission reviews on Chrome Updater directories to prevent unprivileged write access.
- Enforce application allowlisting to block execution of unsigned binaries staged in user-writable paths.
# Verify installed Chrome version on macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
# Trigger an on-demand update check via the Updater
/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent -runMode oneShot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
