{
  "title": "Chrome CVE‑2026‑7351 Exposes Race Condition in MHTML—Malicious Extensions Can Leak Cross‑Origin Data",
  "content": "Google disclosed a high‑severity security vulnerability, CVE‑2026‑7351, on April 28, 2026, affecting Chrome versions prior to 147.0.7727.138. The flaw involves a race condition in MHTML processing, enabling a malicious extension to exfiltrate cross‑origin data from the browser environment (thehackerwire.com).

Technical Breakdown

The vulnerability stems from a race condition (CWE‑362) in the MHTML handling code. It allows crafted Chrome extensions—once installed—to leak data across origin boundaries, exposing potentially sensitive information (nvd.nist.gov).

Affected versions include all Chrome releases before 147.0.7727.138. The Chromium security severity rating for CVE‑2026‑7351 is categorized as High (thehackerwire.com). Multiple sources confirm this boundary: NVD, Vulners, Tenable, SUSE, and others all align on version 147.0.7727.138 as the cutoff for vulnerability (vulners.com).

Severity and Scoring

Severity-wise, Chromium defines this as High, although the National Vulnerability Database has not yet published its own CVSS score. CISA’s ADP assigns a CVSS v3.1 score of 3.1 (Low), citing network attack vector, high complexity, no privileges required, but only low confidentiality impact (nvd.nist.gov).

Platform Impact & Patch Status

Google released a Stable Channel update on April 28, 2026, addressing this issue in build 147.0.7727.138. Users must update to this version or later to eliminate exposure (thehackerwire.com).

Linux distributions vary in response. Some remain unpatched; for example, Nessus identifies Linux/Unix hosts with affected Chrome packages lacking vendor remediation (tenable.com). Similarly, Red Hat has logged the issue in Bugzilla (bug 2463656) and marked it as 'NEW', signaling a fix might still be in progress (bugzilla.redhat.com).

Broader Extension Risks & Context

While CVE‑2026‑7351 is specific to MHTML, it reflects a larger, systemic risk: browser extensions, even with legitimate permissions, can be leveraged to bypass security boundaries. Previous findings reveal malicious extensions exfiltrate session tokens or files and can persist long-term before detection (cybernews.com).

Academic studies show that malicious or over‑privileged extensions remain a persistent threat, often slipping past vetting processes and pontentially turning the browser into a data-exfiltration platform (arxiv.org).

Impact on Windows Users and Administrators

Windows users must install the update promptly. Any Chrome running before 147.0.7727.138 remains vulnerable. Admins should enforce update policies and verify relaunch statuses. As with other recent patches (e.g., WebRTC CVE‑2026‑7341), both Chrome and other Chromium-based browsers—Edge, Brave, Electron apps—must be updated, since the same engine is shared across platforms (windowsforum.com).

What Users Should Do Now

Immediately update Chrome to version 147.0.7727.138 or higher. Avoid installing extensions from untrusted sources. Audit installed extensions and remove anything unnecessary or unfamiliar. For organizations, ensure patch deployment includes browser relaunch, and track Chromium variants (browsers, embedded apps).

Looking Ahead

CVE‑2026‑7351 emphasizes a recurring theme: browser extensions wield deep access and, when combined with subtle flaws like race conditions, yield powerful attack vectors. It illustrates how security boundaries can fracture not only through core code bugs but also leveraged via normal extension infrastructure.

The long game here is twofold: Google must harden extension APIs and execution, while enterprises must treat browser patching as infrastructure maintenance—not optional feature updates. Extension governance, runtime auditing, and swift update cycles are critical defensive measures.

Expect future patches addressing feature‑adjacent vulnerabilities in other browser subsystems. Until then, proactive mitigation—keeping Chrome updated and minimizing extension exposure—remains the most reliable strategy.

Future-proof insight: As Chromium continues to evolve, each browser subsystem—MHTML, WebRTC, V8, ANGLE—is a potential attack surface. Vigilance in update practices and extension permissions will be the best shield for Windows users and IT teams managing browser fleets. ", "summary": "Google patched CVE‑2026‑7351 on April 28, 2026—a high‑severity MHTML race condition in Chrome before version 147.0.7727.138 allowed malicious extensions to leak cross‑origin data. Windows admins must update immediately, audit extensions, and treat browser patching as essential infrastructure maintenance.", "metadescription": "Learn about CVE‑2026‑7351, a critical MHTML race‑condition in Chrome before 147.0.7727.138 that enables malicious extensions to leak cross‑origin data—and how to protect your Windows systems.", "tags": ["CVE‑2026‑7351", "Chrome security", "browser extensions", "race condition", "Windows administration", "patch management", "Chromium vulnerabilities"], "referencelinks": [ "Google Stable Channel Update advisory (April 28 2026)", "NVD CVE‑2026‑7351 official entry", "Nessus plugin details on affected Linux distributions", "Red Hat Bugzilla entry for CVE‑2026‑7351" ] }