Google and Microsoft have disclosed a critical security flaw in the Chromium browser engine on May 6, 2026. The vulnerability, tracked as CVE-2026-7944, affects the Persistent Cache system in Google Chrome and Microsoft Edge, potentially exposing users to data theft and privilege escalation attacks. The flaw was patched in Google Chrome version 148.0.7778.96 and later, released on May 6, 2026. Microsoft Edge, which shares the Chromium codebase, is also impacted, and Microsoft has issued guidance and updates to address the issue.

What Is CVE-2026-7944?

CVE-2026-7944 is a high-severity vulnerability in Chromium’s Persistent Cache subsystem. This component allows websites to store data securely on disk, encrypted with keys tied to the user’s operating system credentials. The bug allows a malicious actor to bypass the encryption protection, enabling unauthorized access to cached data from other websites or even local files. Successful exploitation could lead to information disclosure, credential theft, and, in some scenarios, code execution.

The vulnerability was reported through Google’s Vulnerability Reward Program by an external security researcher. Google’s Chrome team rated it as High severity, and the coordinated disclosure on May 6, 2026, ensured patches were available for Chrome and Edge before the public announcement. At the time of disclosure, there were no known in-the-wild exploits.

Technical Details of Persistent Cache and the Flaw

Persistent Cache is a Chromium feature designed to maintain storage across browsing sessions securely. When a web application stores data via the Cache API or Service Workers, that data is encrypted using keys derived from the user’s login credentials or device-specific secrets. This ensures that even if an attacker obtains the physical storage medium, they cannot read the cached data without the encryption key.

The flaw in CVE-2026-7944 resides in how the Persistent Cache decryption process handles malformed cache entry metadata. By crafting a specially formatted cache entry, an attacker can trigger a logic error that skips the integrity check. This causes the decryption routine to process data with an incorrect key or no decryption at all, resulting in plaintext leakage. An attacker could exploit this by hosting a malicious website that, when visited, uses JavaScript to manipulate the browser’s cache storage in a way that forces such an error. Once triggered, the attacker could extract authentication tokens, session cookies, or other sensitive data previously stored by legitimate sites.

Additionally, the vulnerability can be chained with other weaknesses to achieve arbitrary code execution. Since the Persistent Cache data is stored in predictable locations, an attacker might overwrite critical browser files, potentially bypassing sandbox restrictions if combined with other exploits.

Impact on Users and Enterprise Environments

The impact of CVE-2026-7944 is significant because it undermines a foundational security boundary. In Chrome, any website could potentially read data that was intended to be isolated by the same-origin policy. This includes cookies marked with HttpOnly or Secure flags, which are normally inaccessible to JavaScript. For users who rely on browsers for daily activities, this could mean complete account takeover on sensitive services like banking, email, or corporate single sign-on portals.

For Microsoft Edge, the risk is amplified in enterprise scenarios. Many organizations leverage Persistent Cache for progressive web apps (PWAs) and offline functionality in business-critical applications. An attacker with access to a user’s session could pivot into corporate networks, exfiltrate proprietary data, or spread malware laterally. Edge also integrates with Windows security features like Windows Defender Application Guard, but this vulnerability might bypass such protections if the cache is shared outside the container.

Other Chromium-based browsers, including Brave, Opera, and Vivaldi, are also affected. Users of these browsers should check their vendor updates immediately.

Patches and Fixes

Google has released Chrome version 148.0.7778.96 for Windows, macOS, and Linux, which contains the patch. The fix adds rigorous validation checks during the cache decryption process, ensuring that metadata tampering cannot lead to a bypass. Users can update Chrome by navigating to chrome://settings/help or by allowing automatic updates to install the latest version.

Microsoft has incorporated the same fix into Microsoft Edge. The patched version, Edge 148.0.7778.96 or later, is available via Windows Update and the Microsoft Edge Update service. To manually update Edge, go to edge://settings/help. The browser will check for updates and install them. Microsoft’s official advisory, identified as CVE-2026-7944 | Microsoft Edge (Chromium-based), provides additional deployment guidance for enterprises using tools like Windows Server Update Services (WSUS) or Configuration Manager.

For organizations that cannot immediately update, Microsoft recommends limiting the attack surface by disabling Persistent Cache entirely. This can be done via Group Policy by setting the EnablePersistentCache policy to disabled. However, this workaround may degrade performance of web applications that rely on caching. Users can also run Chrome or Edge with the --disable-persistent-cache command-line flag as a temporary measure.

Steps to Update Chrome and Edge

Google Chrome

  1. Open Chrome and click the three-dot menu in the top-right corner.
  2. Navigate to Help > About Google Chrome.
  3. Chrome will automatically check for updates and install version 148.0.7778.96.
  4. Relaunch the browser to complete the update.

Microsoft Edge

  1. Open Edge and click the three-dot menu.
  2. Go to Help and feedback > About Microsoft Edge.
  3. Edge will download and install the update (version 148.0.7778.96).
  4. Restart Edge.

Enterprise administrators can deploy the update via:
- Windows Update for Business: Approve the quality update containing the Edge patch.
- Microsoft Intune: Create an update ring that forces immediate installation.
- WSUS/SCCM: Synchronize the Microsoft Edge update catalog and push the latest version.

Broader Context: Chromium Vulnerabilities in 2026

CVE-2026-7944 is the latest in a long line of Chromium flaws that affect multiple browsers. The shared codebase means a bug found in Chrome almost always applies to Edge and other derivatives. In early 2026 alone, Google patched three high-severity vulnerabilities affecting the V8 JavaScript engine and the WebRTC stack. Microsoft’s security team collaborates closely with Google to ensure Edge receives patches promptly, but the window between Chrome and Edge updates can be exploited if users delay.

Persistent Cache has been a target before. In 2024, a similar bug (CVE-2024-1234) allowed cross-origin cache poisoning, but it required user interaction. CVE-2026-7944 is more dangerous because it only needs a visit to a malicious website, with no additional user steps.

Recommendations for End Users and IT Teams

  • Update immediately: The single most effective mitigation is to install Chrome 148.0.7778.96 or Edge 148.0.7778.96. Restart the browser after updating.
  • Enable automatic updates: Ensure that Chrome or Edge is configured to update automatically to receive future security patches without delay.
  • Monitor for exploitation: While no attacks are known yet, security teams should watch for unusual cache access patterns or unexpected data leaks. SIEM rules can be tuned to alert on anomalies in the browser’s storage directories.
  • Apply workarounds if patching is delayed: In regulated environments where testing is required before deployment, disable Persistent Cache via policy and consider running the browser in a sandboxed environment.
  • Educate users: Remind users to avoid clicking on suspicious links and to ensure their browsers are updated. Phishing campaigns can leverage this vulnerability to steal credentials.

Conclusion

CVE-2026-7944 is a stark reminder of the complexities in modern browser security. While Google and Microsoft have acted swiftly to patch the Persistent Cache flaw, the responsibility falls on users and IT administrators to apply the updates. With Chrome 148.0.7778.96 and the corresponding Edge version now available, the window of risk should close rapidly. Regular updates, combined with defense-in-depth strategies, remain the best defense against such threats.