Microsoft and Google have jointly flagged a high‑severity vulnerability in the Chromium engine that underpins both Google Chrome and Microsoft Edge. Tracked as CVE-2026-7930, the flaw allows a remote attacker to craft a webpage that misuses cookie‑handling logic to exfiltrate authentication tokens, session cookies, or other sensitive browser‑stored data. The vulnerability was disclosed in Chrome’s stable channel update on May 7, 2026, and Microsoft immediately followed with an advisory for Edge and all Windows environments where Chromium browsers are deployed.

What is CVE-2026-7930?

CVE-2026-7930 is a logic error in the way Chromium’s cookie manager processes certain cross‑origin redirects combined with Partitioned cookies. In simplified terms, when a website sets a cookie with the Partitioned attribute—a privacy feature designed to tie cookies to a specific top‑level site—the browser should guarantee that these cookies are never accessible from a different top‑level context. The bug permitted a maliciously constructed website to bypass this isolation. By chaining a series of precise redirects and faking a top‑level navigation, an attacker could trick the browser into exposing Partitioned cookies to a third‑party origin.

Security researcher Alexei Volkov of Google’s Project Zero discovered the flaw and reported it through Chromium’s responsible disclosure process on April 3, 2026. After internal verification and fix development, the patch was merged into the Chromium main branch and cherry‑picked into the Chrome 148 release line. The stable channel update 148.0.7778.96 for Windows, Mac, and Linux includes the remediating code changes.

Affected software and patching timeline

All Chromium‑based browsers are potential vectors until their vendor integrates the upstream patch. The primary targets for Windows administrators are:

  • Google Chrome versions prior to 148.0.7778.96 (all desktop platforms)
  • Microsoft Edge – the corresponding Edge stable channel version that incorporates the fix is 148.0.7778.96 (the same major Chromium version). Microsoft released the Edge patch on May 7, 2026, synchronised with the Chrome update.
  • Electron‑based applications, WebView2, and Teams – any software embedding Chromium via Electron or WebView2 inherits this vulnerability until the host application rebuilds with a patched Chromium. Microsoft explicitly called out that the WebView2 Runtime must be updated through its own standalone installer or via Windows Update.

Windows Server and client versions are affected only insofar as they run an unpatched Chromium browser. The operating system itself is not at fault, but fleet administrators must nevertheless treat this as a critical patch‑management event because the browsers are the primary gateway to cloud services.

Most modern browsers support the Partitioned cookie attribute, which forces a cookie to be stored under a double key: (top‑level site, cookie‑setter origin). For example, a cookie set by chat.example.com embedded on portal.example.org is only sent back when the browser is on portal.example.org and making a subresource request to chat.example.com. This prevents cross‑site tracking.

CVE-2026-7930 existed in the algorithm that decides whether a pending redirect constitutes a “same‑top‑level” navigation. The Chromium network stack uses a state machine to handle HTTP 302 and JavaScript‑initiated navigations. Under certain sequences that involved a same‑site redirect followed by a cross‑site redirect that landed back on the original top‑level domain, the cookie manager erroneously reconciled the partition key. The result: a cookie that was supposed to be bound to site‑A.com became readable by evil.com if evil.com could lure the user through that redirect chain.

An attacker hosting a malicious page would only need to convince a victim to click a link or spend a few seconds on the attacker‑controlled site. No memory corruption, no sandbox escape—just a purely logical bypass. That makes the attack surface wide. Any web application that relies on Partitioned cookies to hold session tokens or non‑HttpOnly authentication cookies is exposed. Even though many authentication cookies are HttpOnly and Secure, Partitioned cookies often carry CSRF tokens, user preferences, or secondary authentication material that can be leveraged in combination with other attacks.

Real‑world impact for Windows enterprise fleets

For organisations managing hundreds or thousands of Windows endpoints, CVE-2026-7930 represents a serious business‑continuity risk. Here’s why:

  • Session hijacking without malware: A user visiting a watering‑hole website or a compromised ad network could have their cloud‑SaaS session stolen immediately. Because the attack needs only a malicious redirect, traditional endpoint detection struggles to block it.
  • Bypass of conditional access: Many enterprises enforce device‑based conditional access policies, assuming that a browser session secured behind multi‑factor authentication is safe. Exfiltrating the Partitioned cookie can let an attacker replay that authenticated session from a different device, effectively nullifying MFA.
  • Propagation through linked apps: Microsoft 365 and Azure AD‑integrated applications often store refresh‑token‑like data in Partitioned cookies for seamless single sign‑on. A compromised cookie could grant persistent, long‑lived access to email, SharePoint, and Teams.
  • Linux and Mac are also exposed, but the density of Windows‑managed fleets makes the Windows attack surface particularly attractive.

Microsoft’s Security Response Center assigned the vulnerability an “Important” severity rating, while the Chromium project rated it “High”. The slight difference stems from default browser configurations; Edge ships with enhanced cookie controls in Enterprise mode, but those controls are not on by default.

Immediate remediation steps

System administrators should execute the following actions within the next 48 hours:

  1. Update Google Chrome – Deploy Chrome 148.0.7778.96 through your software distribution tool (SCCM, Intune, or Group Policy). Verify the version by navigating to chrome://settings/help. Google has published the MSI installer for enterprise deployment.
  2. Update Microsoft Edge – Edge will auto‑update if allowed, but forced manual update can be triggered via edge://settings/help. For controlled environments, push the latest Edge stable MSI from the Microsoft Edge Business download page. The patched version number is identical to Chrome’s: 148.0.7778.96.
  3. Update WebView2 Runtime – If your line‑of‑business applications embed WebView2, you must update the Evergreen or Fixed version of the WebView2 Runtime. Use the standalone bootstrapper or deploy the Microsoft.WebView2.Redistributable package. Check the runtime version in %ProgramFiles%\Microsoft\EdgeWebView\Application\148.0.7778.96.
  4. Patch Electron‑based apps – Identify any custom Electron applications your organisation developed or acquired. Instruct the development team to rebase on Electron 32 or higher (which ships with the patched Chromium) and rebuild the installers.
  5. Audit conditional access and session controls – While patching is underway, reduce the session lifetime for critical cloud applications via Azure AD Conditional Access. Enforce “sign‑in frequency” policies that require re‑authentication every few hours.
  6. Network detection – Deploy Snort or Suricata signatures to catch the known redirect pattern. Chromium’s security team published indicators: a sequence of three 302 redirects where the second redirect points to a top‑level domain that differs from the first, followed by a final redirect back to the original top‑level site. Blocking such chains at the proxy can hinder exploitation.

Every Chrome release fixes a handful of security bugs, but CVE-2026-7930 is unusual because it undermines a core privacy‑sandbox feature that the industry spent years implementing. Partitioned cookies were supposed to eliminate lingering cross‑site tracking without breaking legitimate embedded content. Google, Microsoft, Mozilla, and Apple all shipped the Partitioned cookie specification as the default in their browsers after Chrome 114, Edge 114, Firefox 120, and Safari 17.

A flaw that breaks the fundamental promise of cookie isolation erodes trust in the entire privacy‑sandbox endeavor. It also serves as a reminder that logical bugs in web‑platform features can be just as damaging as classic memory‑corruption vulnerabilities—and they require just as urgent a patch response.

For Windows admins, the practical lesson is that Chromium patch management cannot be relegated to monthly “Patch Tuesday” thinking. Critical browser vulnerabilities emerge constantly (often every two weeks with Chrome’s release cadence). Automated browser‑update policies and a dedicated browser‑update ring separate from the OS update ring are essential.

Verification – how to check if your fleet is protected

After applying the updates, confirm the patch using these methods:

  • PowerShell script for remote checks: You can query the Chrome and Edge version remotely via the registry or the installed programs list. A quick snippet:

powershell Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" | Select-Object '(Default)' Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" | Select-Object '(Default)'

Then compare the version string against 148.0.7778.96.

  • Intune / Defender for Endpoint: Use the vulnerability management dashboard to hunt for devices that still report Chrome or Edge versions below the fixed build. Defender for Endpoint already has detection logic for CVE-2026-7930, and it will surface exposed devices under “Security Recommendations”.

  • Test the redirect chain: Security teams can deploy a benign proof‑of‑concept page internally that attempts the redirect sequence and then checks whether a dummy Partitioned cookie is leaked. Google released a minimal test harness on its GitHub security‑advisories page (link below).

What if you can’t patch immediately?

Organisations that must delay patch deployment due to compatibility testing should implement compensatory controls:

  • Disable Partitioned cookies via enterprise policy (temporary measure): Both Chrome and Edge allow admins to disable the Partitioned Cookies feature entirely through the DefaultCookiesSetting or ExperimentalCookieFeatures policies. This breaks some websites that rely on partitioned storage, but it is safer than allowing unauthenticated cookie theft.
  • Block third‑party cookies: In Edge, enable “Block third‑party cookies” strictly. In Chrome, set the BlockThirdPartyCookies policy to true. Note that this might disrupt embedded maps, chat widgets, and payment gateways.
  • Isolate browsing with Remote Desktop Services or Azure Virtual Desktop: Have users perform sensitive SaaS operations from a locked‑down, fully patched RDS session until endpoints are updated.

The broader Chromium security landscape in 2026

CVE-2026-7930 arrives during a year that has already seen a sharp rise in browser‑targeted attacks. By mid‑2026, Chromium CVEs are trending 40% higher than the same period last year, fueled by an increasingly complex web platform. Cookie‑related logic flaws, specifically, have been responsible for three other public exploits in the last six months, including a widely exploited SameSite bypass in Chrome 145.

Microsoft’s investment in Edge’s security features—such as Super Duper Secure Mode, automatic profile switching for work content, and deep integration with Microsoft Purview data‑loss prevention—does not shield the browser from upstream Chromium bugs. As this incident illustrates, every Chromium flaw is an Edge flaw. The only protection is rapid patch deployment.

For Windows enterprise customers, a clear takeaway is to treat browser updates with the same urgency as OS kernel patches. The days of deferring browser updates by a week are over. Attackers reverse‑engineer Chrome stable patches within hours, and exploit code for CVE-2026-7930 has already been spotted on underground forums, according to KELA’s threat intelligence feed.

Conclusion

CVE-2026-7930 is a textbook example of why cookie isolation features must be implemented with painstaking attention to every possible navigation flow. A single incorrect state‑machine transition broke the confidentiality of Partitioned cookies, opening the door to session hijacking at scale. Google and Microsoft released coordinated fixes on May 7, 2026, and all Windows fleet admins should update Chrome, Edge, and the WebView2 Runtime immediately. The patch requires no configuration changes; simply deploying the latest stable builds seals the vulnerability.

The incident reinforces that logical flaws in web‑privacy mechanisms can be exploited just as deterministically as memory‑safety bugs, and that enterprise patch‑management strategies must keep pace with the browser’s breakneck release tempo. If you haven’t updated yet, now is the time—the attackers are already scanning for unpatched browsers.