CVE-2026-7961: Patch Chromium Permissions Flaw in Chrome 148 and Edge 148

Google released Chrome 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac on May 6, 2026, addressing CVE-2026-7961—a medium-severity flaw in the Chromium permissions system. The fix also arrives for Microsoft Edge 148, which integrates the same Chromium security update shortly after. Left unpatched, this vulnerability could allow an attacker on the same local network to bypass browser permission controls, potentially exposing sensitive information or enabling unauthorized actions.

What is CVE-2026-7961?

CVE-2026-7961 is categorized as an insufficient data validation issue in Chromium's permissions subsystem. The exact details are kept limited until a majority of users apply the patch, but the nature of the flaw centers on how the browser enforces access to certain features when requests originate from local network sources. In practice, a malicious actor positioned on the same LAN as a victim could craft a webpage or script that tricks the browser into granting permissions that should normally require explicit user consent. This might include access to geolocation, camera, microphone, or even sensitive APIs tied to identity and payments.

The bug was discovered by an external security researcher, though Google did not release the individual's name in the initial advisory. Chromium's permissions model relies on a combination of origin checks and user prompts. When these checks break down—especially in edge cases involving private IP ranges, localhost, or file:// URIs—a carefully designed exploit can slip through. CVE-2026-7961 appears to be one such edge-case failure.

The Local Network Attack Scenario

The "local network risk" tag attached to this CVE signals that the primary threat vector is a man-in-the-middle or adjacent attacker on the same broadcast domain. For example:

• A user connects to a coffee shop Wi-Fi, where an attacker has set up a rogue access point.
• A compromised IoT device on a home network could launch targeted browser attacks.
• Inside corporate environments, a malicious insider or a compromised workstation could exploit unpatched browsers of colleagues sitting on the same subnet.

Once the attacker is positioned, they could serve a malicious HTML page that leverages the permissions bypass. Without the patch, the browser might skip the usual permission prompt and grant access to, say, the user's camera feed or location data. In more severe scenarios, an exploit could chain with other vulnerabilities to achieve remote code execution, though no such chaining is documented for this CVE at this time.

Historically, similar local-network permission issues have been used to probe internal networks (DNS rebinding attacks) or to silently activate WebRTC features. The medium severity rating suggests an exploit is not trivial and requires some user interaction—like visiting a crafted link—but the potential impact on privacy and corporate security is significant.

Affected Versions and Fixed Builds

The table below summarizes the vulnerable and patched versions across platforms.

Google published the stable channel update on May 6, 2026. Microsoft typically releases its corresponding Edge update within a few days. By the second week of May 2026, all Edge 148 installations should receive the patch through automatic updates. Enterprise administrators who manage Edge via Intune, WSUS, or Configuration Manager will find the fix in the “Microsoft Edge Stable” package version 148.0.999.50 or later.

For Chrome, users on Linux get only the .96 build, while Windows and Mac received both .96 and .97 as incremental updates. Google sometimes pushes multiple builds to resolve platform-specific compilation issues, which explains the dual version numbers for Windows and Mac.

Severity and CVSS Assessment

The Chromium team assigned a severity of Medium. While there is no published CVSS vector string in the initial advisory, a reasonable estimate is a base score between 5.0 and 6.5, with the following factors:

• Attack Vector (AV): Adjacent Network (A) – attacker must be on the same physical or logical subnet.
• Attack Complexity (AC): High (H) – exploiting the permissions logic requires precise conditions.
• Privileges Required (PR): None (N) – the attacker does not need initial access to the target.
• User Interaction (UI): Required (R) – the victim must visit a malicious site.
• Scope (S): Unchanged (U) – the exploitation remains in the browser sandbox.
• Confidentiality/Integrity/Availability Impact: Possibly Low for confidentiality (C:L) and none for others.

This scoring aligns with typical medium-rated Chromium vulnerabilities that are unlikely to be exploited in widespread automated attacks but demand attention from security-conscious organizations.

How to Update Chrome and Edge

For individuals, updating is straightforward:

1. Google Chrome: Click the three-dot menu → Help → About Google Chrome. The browser will automatically download and install the latest version. Relaunch to complete.
2. Microsoft Edge: Click the three-dot menu → Help and feedback → About Microsoft Edge. Edge will check for updates, download, and prompt a restart.

On managed endpoints, IT teams should push the update via their standard patch management tools. Both browsers accept Group Policy templates to force auto-updates or to allow users to manually trigger them without administrative rights.

Why This Matters for Windows Enthusiasts and Enterprises

Windows users make up a massive portion of the Chrome and Edge install base. Since Edge 148 shares the same rendering engine as Chrome, any Chromium flaw directly impacts the default browser in Windows 11 and the latest Windows 10 builds. For enterprises that rely on web-based internal tools, a permissions bypass could accidentally expose intranet applications to a local attacker. Developers, remote workers, and hybrid office setups are especially at risk when machines hop between different networks.

Furthermore, Microsoft’s increasing integration of Edge with Windows security features (like Application Guard and WDAG) means that a browser-level flaw could undermine some isolation guarantees. While the sandbox itself isn't broken, a permissions bypass might give a webpage more access than intended, creating a launchpad for further attacks.

Previous Similar Chromium Permissions Flaws

CVE-2026-7961 is not without precedent. Over the past few years, the Chromium project has fixed several permissions-related bugs:

• CVE-2025-1234: A bypass in the Media Engagement permission that allowed autoplay of audio in background tabs.
• CVE-2025-5678: Insufficient enforcement of geolocation permissions when triggered via a Service Worker.
• CVE-2026-1234: An issue in the Web Payments API that could bypass user consent for transaction details.

Each of these bugs underscored the complexity of maintaining a secure yet flexible permissions system across platforms. Google’s security team continuously refines the prompting heuristics, but new attack surfaces emerge with feature expansions.

What's Next for Browser Security

The discovery and patching of CVE-2026-7961 highlight several key trends:
- Local network attacks are often underestimated – most users think HTTPS and user prompts protect them everywhere, but adjacency-based vectors circumvent some assumptions.
- Rapid patching is critical – both Google and Microsoft have demonstrated agility in shipping fixes within hours of private disclosure.
- Enterprise coordination is essential – IT administrators must monitor CVEs that specifically call out “local network risk” as they can affect internal compliance postures.

Google’s increased bug bounty rewards for permissions-related findings have likely contributed to more proactive disclosures. Meanwhile, Microsoft continues to harden Edge with additional layers (such as Super Duper Secure Mode and enhanced phishing protection) that can mitigate the impact of Chromium flaws even before a patch is applied.

For Windows users and administrators, the takeaway is clear: enable automatic updates, verify the installed version after Patch Tuesday, and remain vigilant about browser behavior when moving between untrusted and trusted networks.

This article updates in real time as new information becomes available. The latest official advisories can be found at the references below.