Google and Microsoft have rushed out fixes for CVE-2026-7934, a medium-severity flaw in Chromium’s popup blocker that could allow malicious websites to bypass one of the browser’s oldest defensive layers. The vulnerability was disclosed in early May 2026 and is already patched in Google Chrome 148.0.7778.96 (and later) as well as Microsoft Edge 148.0.2566.82. Both browsers rely on the open-source Chromium engine, meaning the same input-validation bug threatened users across Windows, macOS, Linux, Android, and iOS.

How the Popup Blocker Vulnerability Works

The Chromium popup blocker is designed to prevent websites from opening unsolicited windows or tabs—a technique often used for phishing, malware delivery, and intrusive advertisements. Under the hood, it validates a series of user gestures and site permissions before allowing a popup. CVE-2026-7934 exposes a weakness in that validation chain. Attackers could craft a malicious page that, through carefully malformed JavaScript or hidden iframes, tricks the browser into treating an automated popup as user-initiated.

Google’s advisory describes the issue as an “insufficient validation of untrusted input in the popup blocker.” In practice, an attacker who lures a victim to a booby-trapped site could force a new window to open without the user clicking anything. That window might mimic a login screen, install a drive-by download, or redirect to a credential-harvesting page—all while the user believes the browser is protecting them.

Because the bug resides in the cross-platform Chromium codebase, every browser that uses the engine was affected. That includes not only Chrome and Edge but also Opera, Brave, Vivaldi, and countless WebView-based mobile apps. However, Google’s own patch, merged into the Chromium repository, serves as the upstream fix for all downstream vendors.

Severity and Real-World Impact

Google’s security team assigned CVE-2026-7934 a Medium severity rating. That may sound low compared to the “Critical” and “High” RCE bugs that grab headlines, but it shouldn’t be ignored. Bypassing a popup blocker strips away a fundamental user expectation—the idea that a browser won’t spawn windows without your say-so. Combine it with a convincing phishing template, and even savvy users can be tricked.

There is no evidence yet of active exploitation in the wild. Still, the fact that both Google and Microsoft coordinated disclosure and patching on the same day suggests the bug was considered serious enough to fast-track. Historically, medium-severity Chromium flaws have been repurposed by exploit kits within days of public disclosure, making rapid updates critical.

The Patches: Chrome 148.0.7778.96 and Edge 148.0.2566.82

The fix lands in Chrome 148.0.7778.96, which Google started rolling out on May 6, 2026, to the Stable channel. The update is incremental and weighs just a few megabytes, so most users will receive it automatically within hours. Microsoft followed on the same day, releasing Edge 148.0.2566.82. Both versions contain the patched Chromium engine along with any browser-specific tweaks.

For Chrome, the update also includes eight other security fixes, though only CVE-2026-7934 was externally reported and rated. Edge’s release notes mirror Chrome’s, confirming that the popup blocker vulnerability is the sole Chromium-level security change in this cycle.

How to Update

Chrome: Click the three-dot menu > Help > About Google Chrome. The browser will check for updates and install them automatically. The version number should read 148.0.7778.96 or higher. Restart Chrome to complete the process.

Edge: Click the three-dot menu > Help and feedback > About Microsoft Edge. Like Chrome, Edge will download and apply the update. The version should be 148.0.2566.82 or later. A restart is required.

Enterprise administrators who manage Chrome via Group Policy or Edge via Intune/ConfigMgr should push the updated MSI packages immediately. Google’s enterprise release notes and Microsoft’s Security Update Guide list the specific file versions and hashes required.

Enterprise Considerations

For IT departments, CVE-2026-7934 is more than a checkbox item. Many enterprises configure popup blockers via policy to suppress unexpected windows on line-of-business applications. A bypass could lead to help desk calls, credential theft, or lateral movement if users are tricked into entering domain credentials.

Microsoft’s Security Response Center (MSRC) published advisory ADV20260507, detailing the Edge fix. Notably, the Edge update is not delivered as a Windows cumulative update; it’s a self-contained browser patch. That means it won’t require a system reboot unless the browser is running during the update. However, if your organization forces Edge updates through WSUS or Microsoft Endpoint Manager, you may need to approve the new package manually.

Google’s enterprise release notes for Chrome 148 warn that the popup blocker change may affect a small number of internal web apps that rely on tightly timed popup events. Administrators should test critical applications after the update, although no regressions are expected.

A Brief History of Chromium Popup Blocker Flaws

This isn’t the first rodeo for the popup blocker. Chromium’s issue tracker shows a steady stream of popup-related bugs filed every year—most are labeled “WontFix” because they represent deliberate design choices. But when the blocker can be circumvented entirely, it rises to the level of a CVE.

In 2023, CVE-2023-4586 (medium) allowed a hostile site to trigger a popup during a JavaScript alert. In 2024, CVE-2024-1053 (low) let extensions bypass the blocker under certain conditions. CVE-2026-7934 is in the same family, but its input-validation angle makes it more dangerous because it doesn’t require any special user state or extension interaction—just a visit to a poisoned page.

What the Fix Actually Does

The Chromium commit associated with the fix adds stricter origin checks when processing the window.open() JavaScript method and similar APIs. Previously, the code trusted certain cross-origin data that should have been sanitized. Now, the browser discards any popup request that doesn’t pass a rigorous same-origin test, unless the user has explicitly granted popup permissions to the site.

Developers who notice their legitimate popups breaking should verify that they are not sending sensitive data across origins. Google’s developer documentation has always recommended using window.open() only within the same security context; the patch enforces that rule more aggressively.

User Mitigations and Best Practices

Even with the patch applied, users should practice a few hygiene habits:

  • Keep browsers updated. Both Chrome and Edge offer automatic updates, but you can verify manually as described above.
  • Enable enhanced safe browsing (Chrome) or SmartScreen (Edge). These features block known phishing and malware sites before they can exploit any bug.
  • Be skeptical of unexpected popups. If a window or tab appears out of nowhere, close it immediately—don’t interact with its contents, even if it claims to be from a trusted service.
  • Use an ad blocker or content blocker. Many exploit kits deliver popup bypass payloads through malvertising. A good blocker reduces the attack surface.

For families managing devices for less technical users, consider enabling “Strict” site isolation in Chrome flags (chrome://flags/#site-isolation-trial-opt-out) or the equivalent in Edge. This won’t directly stop popup bypasses but hardens the browser against broader attacks.

What Comes Next?

Google and Microsoft will likely release detailed blog posts in the coming days, especially if exploitation is detected. The Chromium security team often rewards researchers for such findings under its Vulnerability Reward Program; the researcher who reported CVE-2026-7934 may be named in an upcoming Chrome release blog post.

Meanwhile, users of other Chromium-based browsers should check for updates over the next week. Opera, Brave, and Vivaldi typically incorporate upstream Chromium fixes within 48–72 hours. Mobile browsers built on WebView are a mixed bag; Android device manufacturers may take weeks to push the fix to in-app browsers, though Chrome for Android and Edge for Android are already updated via their respective app stores.

CVE-2026-7934 won’t be the last popup blocker bypass. As browsers tighten security, attackers continuously hunt for edge cases in validation logic. The swift, coordinated response from Google and Microsoft shows that the industry has matured in its ability to stomp out these smoldering vulnerabilities before they ignite. For now, the best defense remains the patch itself—apply it, and the popup blocker can return to its quiet, unsung duty of keeping the web a little less noisy and a lot safer.