CVE-2026-7953, a high-severity universal cross-site scripting (UXSS) flaw in Chromium’s Omnibox, was patched on May 6, 2026, with the release of Google Chrome 148. The vulnerability allows attackers to spoof the address bar, potentially tricking users into believing they are on a legitimate site while injecting malicious scripts. Google has rolled out Chrome 148.0.7778.96 for Linux and versions 148.0.7778.96/97 for Windows and macOS to address the issue. Microsoft Edge, built on the same Chromium engine, is also affected, and users should apply forthcoming patches immediately.

What Is CVE-2026-7953?

CVE-2026-7953 is a Universal Cross-Site Scripting (UXSS) vulnerability residing in Chromium’s Omnibox—the combined address bar and search box used by Chrome and other Chromium-based browsers. UXSS flaws are particularly dangerous because they bypass browser security boundaries, enabling an attacker to execute scripts in the context of a different website than the one hosting the malicious content. In this case, the vulnerability allows an attacker to manipulate the display of the URL in the Omnibox, making it appear as if the user is visiting a trusted domain while the actual page loads content from an attacker-controlled source.

The flaw was discovered internally by Google and disclosed on May 6, 2026. Google classified it as critical or high severity, though detailed technical analysis remains limited outside security circles. The core issue involves insufficient validation of URL displays during certain rendering conditions, which can be triggered via crafted HTML or redirection chains. Successful exploitation requires user interaction, typically by clicking a link or visiting a malicious page, but no further action is needed from the victim for the spoof to take effect.

Chrome 148 Fix: Versions and Deployment

Google addressed CVE-2026-7953 in the Stable channel update for Chrome 148, released on May 6, 2026. The patched versions are:

  • Windows: 148.0.7778.96 or 148.0.7778.97
  • macOS: 148.0.7778.96 or 148.0.7778.97
  • Linux: 148.0.7778.96

The dual version numbers for Windows and macOS indicate a staggered rollout or platform-specific hotfixes. Users can verify their Chrome version by navigating to chrome://settings/help or chrome://version. The browser should automatically download and install the update, but a restart is required to complete the process. IT administrators managing enterprise deployments should prioritize this update via group policies or management consoles.

According to Google’s release notes, the update includes the Omnibox fix along with several other security patches. The company has withheld full details on CVE-2026-7953 until a majority of users have updated, a standard practice to prevent rapid exploitation of unpatched systems.

Edge Patch Guidance for Users and Admins

Microsoft Edge, which shares the Chromium codebase, inherits this vulnerability. On May 6, Microsoft acknowledged the issue and confirmed that an Edge patch is in development. The company typically synchronizes its security updates with Chromium’s release cycle, so an Edge stable channel update should follow within days.

To check for updates in Edge manually:

  1. Open Edge.
  2. Click the three-dot menu > Help & feedback > About Microsoft Edge.
  3. Edge will check for and install any pending updates.
  4. Restart the browser to apply the update.

For enterprise environments, the update will be distributed via Microsoft Intune, Windows Server Update Services (WSUS), or other management tools. The expected Edge version will be 148.0.7778.96 or higher. Admins should consult the Microsoft Security Update Guide for the official advisory and deployment notes once published.

Users are advised to enable automatic updates for Edge and avoid disabling the built-in Microsoft Defender SmartScreen, which can partially mitigate phishing attempts that might leverage this UXSS flaw.

Impact and Exploitation Risks

CVE-2026-7953 poses significant phishing and data-theft risks. An attacker could craft a link that, when clicked, displays bankofamerica.com in the Omnibox while the actual content originates from evil.com. The user would see no visual discrepancy, enabling credential harvesting, malware downloads, or session hijacking. The UXSS nature means injected scripts can read or alter data from the perceived legitimate domain, bypassing the Same-Origin Policy.

High-value targets include financial institutions, email providers, and corporate web portals. Because the spoofed URL appears identical to the genuine one, even security-conscious users could fall victim. Google’s Safe Browsing and similar services will likely flag known exploit sites, but targeted attacks using obscure or fresh domains remain a concern.

There are no reports of active exploitation in the wild as of May 6, 2026, but the window between disclosure and exploit development is shrinking. Security researchers expect proof-of-concept code to surface within days, making swift patching essential.

A History of Omnibox UXSS Flaws

CVE-2026-7953 is not the first UXSS vulnerability tied to Chromium’s Omnibox. Past CVEs like CVE-2023-1542 and CVE-2024-8739 similarly allowed address-bar spoofing, underscoring the complexity of rendering URLs securely across multiple display modes, input methods, and language scripts. Google has progressively hardened Omnibox logic, but each new feature or optimization can reintroduce subtle bugs.

In earlier cases, attackers exploited unicode characters, bidirectional text, or right-to-left overrides to manipulate how URLs appeared. The 2026 variant targets a different code path—likely involving how the Omnibox updates after navigation events or XHR requests. By combining this with social engineering, attackers could mount highly effective campaigns.

Workarounds and Mitigations

Until the Edge patch is fully deployed, users can reduce risk by:

  • Manually typing URLs: If arriving from a link, especially from email or untrusted sources, navigate to the desired site by typing the address directly.
  • Checking certificate information: Click the lock icon in the address bar to inspect the SSL certificate; a mismatch between the displayed URL and the certificate’s Common Name may indicate spoofing.
  • Using application-level security: Enterprises can enforce web filtering solutions that block known phishing pages or newly registered domains.
  • Disabling JavaScript: While extreme, disabling JavaScript for untrusted sites can prevent script injection, but this breaks many modern websites.

Browser extensions that manipulate the Omnibox or intercept network requests could potentially exacerbate the flaw. Users should minimize their extension footprint and ensure any remaining extensions are from trusted publishers. Google’s Enhanced Safe Browsing (in Chrome and Edge) provides an additional layer by checking URLs against real-time threat databases.

How to Ensure You Are Patched

For Chrome:

  • Open Chrome and navigate to chrome://settings/help.
  • If the version is older than 148.0.7778.96, click "Update Google Chrome" and restart.
  • For enterprise-managed browsers, contact your IT department to confirm the update has been deployed.

For Edge:

  • Go to edge://settings/help.
  • The browser will automatically check for updates. Once the patch is available, it will download and prompt a restart.
  • Enterprise admins can track the release via Microsoft Edge Release Schedule or the MSRC advisory.

Broader Ecosystem Implications

Any Chromium-based browser—including Brave, Vivaldi, Opera, and Samsung Internet—shares this vulnerability until their respective vendors merge the upstream fix. Users of these browsers should check for updates on their specific support channels. The Chromium project has already committed the patch to the open-source repository, so downstream vendors can integrate it rapidly.

Google has awarded a $15,000 bounty to the researcher who reported the flaw internally, reflecting the severity. The company emphasized that similar vulnerabilities will continue to emerge as browser features grow more complex, urging a shift toward foundational security architectures like site isolation and hardened renderer processes.

Final Steps for Windows Users

Windows users, particularly those relying on Edge as their daily driver, face the highest risk due to the browser’s deep integration with the operating system and corporate environments. Microsoft is expected to release the Edge patch within 72 hours of the Chrome fix, aligning with its historical turnaround. In the interim, using an alternative browser (such as a fully patched Chrome) for sensitive transactions is a prudent measure.

The Cybersecurity and Infrastructure Security Agency (CISA) has not yet issued a directive, but typically adds Chromium UXSS bugs to the Known Exploited Vulnerabilities catalog if active attacks are detected. Organizations should treat this vulnerability as critical and apply updates using their standard change management processes with urgency.

By May 9, 2026, a majority of Chrome and Edge installations should be protected, assuming users enable automatic updates. For those managing large fleets, leveraging update tools like Patch Manager Plus, Automox, or Microsoft Endpoint Configuration Manager can accelerate deployment. The key takeaway: don’t wait—update now and verify the patch, as UXSS flaws provide the perfect foundation for sophisticated phishing and malware campaigns that can bypass even trained eyes.