Google and Microsoft jointly disclosed CVE-2026-7945 on May 6, 2026, a medium-severity vulnerability in Chromium’s handling of the Cross-Origin-Opener-Policy (COOP) that puts site isolation at risk. The flaw affects all Chrome installations on Windows before version 148.0.7778.96, and Edge and other Chromium-based browsers are also exposed until patched.

At the heart of the issue is a logic error in how the browser processes COOP headers. These headers normally enforce strict separation between documents from different origins, preventing a malicious site from accessing sensitive data in another origin’s browsing context. When exploited, CVE-2026-7945 allows a remote attacker to craft a page that, when opened by a victim, can partially break out of its process sandbox and interact with cross-origin pages that should be completely isolated.

This is not a theoretical risk. Proof-of-concept code demonstrated that a specially crafted phishing page could open a legitimate banking or email site in a pop-up, then use timing side-channels and limited JavaScript references to extract authentication tokens. Windows users are the primary target because site isolation on Windows relies heavily on process-level separation—a defense that this COOP bypass directly undermines.

How Site Isolation and COOP Work Together

Modern browsers combat Spectre-style attacks and cross-site leaks by running each origin in a separate operating system process. Site isolation ensures that a renderer process for bank.com can never access the memory or DOM of mail.com, even if a universal cross-site scripting bug exists in the rendering engine.

COOP is a complementary security mechanism. It allows a website to opt into a browsing context group that severs all references from cross-origin openers. When a page sends the Cross-Origin-Opener-Policy: same-origin header, the browser creates a fresh browsing context without any opener relationship. This prevents attacks where a malicious opener could hold a reference to a pop-up window and use that to redirect, resize, or sniff its location.

CVE-2026-7945 emerges from the intersection of these two systems. A bug in the parsing of COOP headers under specific nested browsing context scenarios caused the browser to incorrectly share a process between cross-origin documents when one of them lacked a proper COOP declaration. As a result, an attacker could open a target site in a pop-up and retain enough access to probe its sensitive cookies, session data, or even script execution through out-of-bounds renderer interactions.

Real-World Exploitation Scenario

Consider an employee using a Windows laptop to access a corporate SaaS dashboard. An attacker sends a spear-phishing email containing a link to a benign-looking site. That site silently opens the dashboard in a pop-up window. Normally, the pop-up would be fully isolated; the parent page could not read its URL, cookies, or content. But with this vulnerability, speculative execution attacks in the shared renderer process can leak bytes from the dashboard’s memory. Over repeated attempts, an attacker can reconstruct session cookies or API tokens.

Google’s severity rating of “Medium” reflects the prerequisite of luring a user to a malicious page and the need for subsequent sophisticated memory-read techniques. However, in targeted attacks against high-value individuals or enterprises, the risk jumps significantly. Security researchers at Carnegie Mellon University’s CyLab demonstrated a weaponized exploit in a controlled environment, achieving token extraction in under three minutes on an unpatched Chrome 147 system running Windows 11 24H2.

Microsoft’s Role and the Windows Ecosystem

Microsoft collaborated on the disclosure because the underlying Chromium engine also powers Microsoft Edge, Teams, and other Windows applications that embed WebView2. Edge version 148.0.7778.96 was deployed simultaneously through Windows Update on May 6. Enterprises that manage patching through WSUS or Microsoft Intune should verify that all endpoints have received KB5048592, which bundles the Edge update with the security roll-up for May 2026.

Windows Server versions that use Edge or WebView2 for administrative portals are also affected. Microsoft Defender for Endpoint has added a detection rule (Alert ID: 11452) that flags abnormal cross-origin opener references indicative of this exploit. This buys time for organizations that cannot patch immediately.

Patches and Mitigations

Google released the fix in Chrome 148.0.7778.96, which began rolling out on May 6, 2026. The Stable channel update reached all platforms by May 8. Users should navigate to chrome://settings/help to force an update or restart the browser if it has been running continuously.

The update modifies the browser’s ScriptSecurityPolicy enforcement logic. COOP headers are now evaluated earlier in the navigation commit sequence, before any renderer processes are allocated. Additionally, Chrome will automatically apply a default same-origin-allow-popups policy if the server fails to send any COOP header—an extra defensive measure that hardens pop-up isolation even against misconfigured sites.

For unpatched systems, several workarounds reduce risk:

  • Disable pop-ups globally via browser settings. This turns dom.disable_open_during_load on, preventing the most common attack vector.
  • Use an extension that forces strict site isolation, such as uMatrix’s per-scope switches or the native chrome://flags/#strict-site-isolation flag set to “Enabled.”
  • Group Policy enforcement for enterprise: set SitePerProcess to 1 and RendererCodeIntegrityEnabled to 1 to enforce out-of-process iframes and integrity checks.

These workarounds are not foolproof. Sophisticated attackers can still leverage iframes or service workers, but they make exploitation materially harder.

Detection and Response

Enterprise defenders should focus on monitoring for anomalous process affinity. In Windows Event Log, a sudden spike in Microsoft-Windows-Kernel-Process event ID 40 with mismatched origin security tokens suggests COOP bypass attempts. Using Sysmon, look for Chrome renderer processes accessing memory regions of other Chrome processes with different --isolated-origins arguments.

Google’s Threat Analysis Group has observed no active exploitation in the wild as of May 10, 2026. However, the public disclosure and PoC availability make it likely that exploit kits will integrate the bypass within weeks. Security teams should prioritize this patch alongside other May 2026 security updates.

History of Site Isolation Flaws

CVE-2026-7945 is the third COOP-related vulnerability in Chrome since 2024. CVE-2024-5842 allowed similar bypass through malformed COOP redirects, while CVE-2025-1121 exploited a race condition in out-of-process iframe adoption. Each iteration has tightened Chromium’s isolation architecture, but the complexity of cross-origin navigation guarantees an ongoing cat-and-mouse game between defenders and attackers.

What sets this vulnerability apart is its interaction with the Windows memory manager. On Linux and macOS, process separation uses a different threading model that limited the earlier PoC. Windows’ handle inheritance rules exacerbated the issue, making the platform the preferential target. Microsoft has committed to hardening Windows kernel object isolation in upcoming releases to reduce the attack surface for such renderer-born exploits.

User Guidance

Home users should update Chrome immediately. The update process takes less than two minutes and requires no reboot. After updating, visit chrome://settings/security and ensure that “Always use secure connections” and “Enhanced protection” are enabled. These unrelated features do not block CVE-2026-7945 but improve general browsing safety.

Do not rely solely on third-party security software to catch this exploit. Traditional antivirus engines lack the runtime insight to detect renderer-side memory leaks. Behavioral detection by next-gen endpoint protection (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint) can flag the out-of-process memory access pattern, but signature-based tools will miss it.

What’s Next

The Chromium team has promised a deeper architecture review of site isolation boundaries for Chrome 149, due in July 2026. Two proposals are under consideration: (1) mandatory out-of-process iframes for all cross-origin content, even when the parent site sets a permissive policy, and (2) removal of the legacy process-per-tab fallback path, which simplifies the attack surface.

For Windows users, the message is clear: update to Chrome 148.0.7778.96 or later, update Edge to the equivalent build, and audit WebView2-based line-of-business applications for exposure. CVE-2026-7945 is a medium-severity bug in isolation, but in the context of modern cyber-espionage campaigns, medium means “actively exploited within days.”