CVE-2026-9115 Overview
CVE-2026-9115 is a same-origin policy bypass in the Service Worker component of Google Chrome before version 148.0.7778.179. The flaw stems from insufficient policy enforcement [CWE-693], allowing a remote attacker to bypass cross-origin restrictions through a crafted HTML page. Chromium's security team rated the issue High severity, while the assigned CVSS 3.1 base score reflects limited confidentiality impact requiring user interaction. Successful exploitation enables an attacker-controlled page to access resources that should be isolated by the browser's origin boundaries. Google addressed the issue in a Stable Channel update for Desktop.
Critical Impact
A remote attacker can bypass the same-origin policy through a crafted HTML page, exposing cross-origin data to attacker-controlled scripts via Service Worker abuse.
Affected Products
- Google Chrome Desktop versions prior to 148.0.7778.179
- Chromium-based browsers sharing the affected Service Worker code path
- Windows, macOS, and Linux Chrome distributions on the Stable Channel
Discovery Timeline
- 2026-05-20 - CVE-2026-9115 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9115
Vulnerability Analysis
The vulnerability resides in Chrome's Service Worker implementation, which mediates background scripts that intercept network requests and cache responses for web origins. Service Workers run scoped to a registering origin and must enforce the same-origin policy when handling fetch events and cross-origin resources. Insufficient policy enforcement in this component allows a crafted HTML page to manipulate Service Worker behavior so that responses from another origin become reachable by the attacker's context.
The weakness is classified under [CWE-693] Protection Mechanism Failure, indicating that an existing security control fails to apply rather than being absent. Because Service Workers persist across navigations and control subsequent requests within their registered scope, a successful bypass undermines a foundational browser isolation boundary. User interaction is required, typically in the form of visiting an attacker-controlled page.
Root Cause
The root cause is incomplete validation of origin or scope constraints in the Service Worker pipeline. When the policy check is skipped or misapplied, cross-origin responses are exposed to script contexts that should not receive them. The Chromium issue tracker entry documents the underlying defect at Chromium Issue Tracker Entry.
Attack Vector
Exploitation is network-based and requires the victim to load a malicious HTML page. The attacker registers or interacts with a Service Worker in a way that triggers the flawed enforcement path. No authentication is required, and the attack complexity is low. The vulnerability impacts confidentiality by exposing cross-origin content while leaving integrity and availability unaffected.
No verified public proof-of-concept code is available. See the Google Chrome Desktop Update for the vendor disclosure.
Detection Methods for CVE-2026-9115
Indicators of Compromise
- Unexpected Service Worker registrations in browser profiles tied to untrusted domains
- Browser telemetry showing cross-origin fetch responses returned to unrelated origins
- Outbound requests to newly registered or low-reputation domains hosting Service Worker scripts
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag hosts running builds earlier than 148.0.7778.179
- Inspect browser-managed Service Worker registrations through enterprise management policies and remove unapproved entries
- Correlate web proxy logs for repeated retrieval of service-worker.js files from suspicious origins followed by sensitive cross-origin requests
Monitoring Recommendations
- Enable Chrome Enterprise reporting to surface version drift and extension or worker anomalies
- Forward browser and proxy telemetry into a centralized analytics platform for cross-origin behavior analysis
- Alert on user navigation to newly observed domains immediately followed by persistent background fetches characteristic of Service Worker abuse
How to Mitigate CVE-2026-9115
Immediate Actions Required
- Update Google Chrome Desktop to version 148.0.7778.179 or later on all supported platforms
- Enforce automatic browser updates through Chrome Enterprise policies or endpoint management tooling
- Audit Chromium-based browsers in the environment and apply equivalent vendor patches as they ship
Patch Information
Google released the fix in the Stable Channel update documented at Google Chrome Desktop Update. Administrators should confirm the deployed build matches or exceeds 148.0.7778.179. The Chromium tracking record is available at Chromium Issue Tracker Entry.
Workarounds
- Restrict Service Worker usage to trusted origins via the ServiceWorkerAllowedForUrls and related Chrome Enterprise policies until patching completes
- Block known malicious domains at the web proxy and DNS layers to limit delivery of crafted HTML pages
- Train users to avoid following untrusted links and verify that browser auto-update is functioning on managed endpoints
# Verify installed Chrome version on Linux endpoints
google-chrome --version
# Example Chrome Enterprise policy fragment (JSON) to constrain Service Workers
# /etc/opt/chrome/policies/managed/service_worker_policy.json
{
"DefaultJavaScriptSetting": 1,
"ServiceWorkerAllowedForUrls": [
"https://[*.]corp.example.com"
],
"URLBlocklist": [
"http://*",
"https://untrusted.example/*"
]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
