Google and Microsoft simultaneously disclosed a high-severity vulnerability in the V8 JavaScript engine on May 6, 2026, pushing out emergency patches for Chrome and Edge. The flaw, indexed as CVE-2026-7999, allows attackers to glean sensitive information from memory, potentially paving the way for more devastating exploits. Both browser vendors rank the bug as important, with Google classifying it as a ‘High’ severity information disclosure issue. Users of any Chromium-based browser—Chrome, Edge, Brave, Opera, and others—must update immediately to block active or imminent attacks.

What Is CVE-2026-7999?

CVE-2026-7999 resides in V8, the open-source JavaScript and WebAssembly engine that powers Chrome, Microsoft Edge, and countless other Chromium derivatives. V8 translates JavaScript into optimized machine code, handling complex operations like JIT (Just-In-Time) compilation and garbage collection. An information disclosure vulnerability here means an attacker can craft a malicious web page that forces the engine to leak memory contents—data such as cookies, authentication tokens, or pointers that can be exploited to bypass security defenses like ASLR (Address Space Layout Randomization).

Google’s advisory describes the bug as a “memory corruption in V8” leading to out-of-bounds read. Typically, such flaws arise from type confusion, incorrect handling of object maps, or errors in optimizing compilers like TurboFan. When exploited, the browser’s renderer process can be coerced into reading bytes beyond an allocated buffer. That leaked data is then exfiltrated to a remote attacker. Even though the flaw does not allow direct code execution, it can be chained with other bugs to achieve full remote code execution (RCE). Paired with a sandbox escape, an attacker could seize control of the underlying operating system.

Microsoft’s description, published in the Security Update Guide, mirrors Google’s but specifically calls out the impact on Windows users. EdgeHTML is long gone; Edge uses the Chromium engine, so any V8 vulnerability affects it equally. Microsoft assigned its own severity rating of Important and links to CVE-2026-7999 as the root cause.

Affected Versions

Any installation of Google Chrome prior to version 148.0.7778.96 is vulnerable. The fix arrives in the stable channel release 148.0.7778.96 for Windows, Mac, and Linux. Microsoft Edge before version 148.0.7778.97 is equally at risk. The slight version discrepancy arises because Edge bundles additional Windows-specific integrations and may ship with a later patch number. Other Chromium-based browsers that consume the same engine—Brave, Vivaldi, Opera, and even third-party apps embedding Chromium—will need to issue their own updates once they incorporate the V8 fix.

Both Chrome and Edge roll out updates automatically over the coming days. Users can verify their version by navigating to chrome://settings/help or edge://settings/help. If the version is below the fixed release, an update should begin immediately. A browser restart completes the process.

Real-World Exploitation and Risk

Google’s advisory does not confirm active exploitation in the wild, but the race is on. Historically, V8 information disclosure bugs are prized by attackers. They often serve as the initial stage in a multi-exploit chain. The Chromium sandbox restricts the renderer process from directly interacting with the OS, but leaked memory contents can map the process’s memory layout, enabling a follow-up RCE exploit to reliably place shellcode.

For enterprises and individuals handling sensitive data, the risk is notable. A single visit to a compromised or malicious website could leak session tokens, enabling account takeover. Even without chaining, the data theft itself can be damaging. Security researcher Anton Belov, who frequently contributes to Chromium’s VRP, noted on his blog, “Info disclosure bugs in V8 are the skeleton key for many sophisticated attacks. Don’t underestimate them.” While Belov is unaffiliated with this specific CVE, his sentiment echoes throughout the security community.

Patching Chrome on Windows

Google Chrome’s stable channel update 148.0.7778.96 began rolling out on May 6, 2026, and should reach most users within a week. To force the update manually:

  1. Open Chrome.
  2. Click the three-dot menu (top-right).
  3. Navigate to Help > About Google Chrome.
  4. Chrome will check for updates and download the latest version.
  5. Click Relaunch to apply.

If your system is managed by IT, the update may be deployed via configuration management tools. Google provides MSI installers and group policy templates for enterprise environments. Ensuring automatic updates are enabled is the simplest protection.

Patching Microsoft Edge on Windows

Microsoft released Edge 148.0.7778.97 to the Stable channel on the same day. Windows Update handles Edge updates automatically for consumer devices. You can trigger a manual update inside the browser:

  1. Open Edge.
  2. Click the three-dot menu.
  3. Select Help and feedback > About Microsoft Edge.
  4. Edge downloads any pending updates automatically.
  5. Restart the browser.

For enterprise deployments, Microsoft publishes updates through Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. IT admins should approve the update immediately. The update is also available via the Microsoft Update Catalog for offline patching.

Linux and macOS Also Affected

Although this publication focuses on Windows, CVE-2026-7999 is cross-platform. Linux and macOS Chrome users should update to the same version. Edge on Linux and macOS follows the same versioning and update cadence. System administrators managing Chromium deployments on servers or in kiosk mode need to ensure their package managers pull the patched build.

Mitigations If You Can’t Patch Immediately

If updating is delayed—perhaps due to compatibility testing—a few temporary measures can reduce risk:

  • Use a text-mode browser or disable JavaScript entirely. In Chrome, you can block JavaScript via chrome://settings/content/javascript, but this breaks most websites.
  • Restrict browsing to trusted, HTTPS-only sites. An ad blocker with strict filter lists can reduce exposure to malvertising.
  • Isolate the browser inside a virtual machine or use Windows Sandbox. That way, even if the renderer is compromised, the host remains protected.
  • Deploy a browser isolation extension or use a remote browser isolation service.
  • Monitor for abnormal browser behavior, such as unexplained CPU spikes or network connections to unfamiliar IPs.

None of these are as effective as patching. The only sure fix is updating to the corrected version.

Technical Details (Restricted for Now)

Following its standard responsible disclosure policy, Google has withheld full technical analysis and proof-of-concept code. The Chromium bug tracker entry is marked “Restrict-View-SecurityTeam” until the majority of users have updated. This delay is intended to prevent rapid weaponization. Past disclosures usually become public 14–30 days after release.

We do know that CVE-2026-7999 was reported externally. Google’s release notes thank an unnamed researcher, indicating a bounty was likely paid through the Vulnerability Reward Program. The specific bounty amount remains undisclosed but for a High-severity info disclosure, it could range from $5,000 to $15,000.

Microsoft’s advisory adds that the vulnerability requires user interaction—the victim must visit a specially crafted web page. Although no active exploits were seen at disclosure time, proof-of-concept code often surfaces within days. Given the short median time to exploit for browser bugs, patching within 48 hours is critical.

How This Compares to Recent V8 Flaws

V8 has been a fertile ground for vulnerability researchers. In 2025 alone, seven high-severity issues were patched in Chrome, more than half in V8. A similar info disclosure, CVE-2025-29123, was patched in Chrome 144 and was later exploited in targeted attacks against financial institutions. The pattern is consistent: an info leak paves the way to RCE. The Chromium security team has invested heavily in sandboxing and site isolation, but V8 exploits remain the most common entry vector for browser attacks.

User and Enterprise Guidance

For most Windows users, the update is transparent. Behind the scenes, Chrome and Edge download and stage the new version, prompting a relaunch. The browsers display a color-coded update indicator—green, orange, red—to nudge users. Since version 148, both browsers have become more aggressive about applying updates after a two-day grace period, automatically restarting during idle periods. Users who see a red indicator should manually restart immediately.

IT administrators should verify that their update rings and deployment schedules are not blocking this urgent patch. Microsoft recommends configuring Edge to allow automatic updates even on managed devices, unless a specific compatibility issue exists. Group Policy settings “Update policy override” and “Auto-update check period override” must be reviewed. Google provides Chrome Browser Cloud Management for granular policy control.

Conclusion

CVE-2026-7999 is another reminder that the modern browser is a prime target. With millions of lines of code in V8, bugs are inevitable. Google and Microsoft’s rapid coordinated disclosure and patch underscore the severity. The fix is simple: check your version, update, and relaunch. For enterprise environments, treat this as a high-priority security patch and push it through your standard change management process as an emergency update.

Staying on the latest browser version is the single most effective defense against web-based attacks, short of disconnecting from the internet. If you are reading this article in Chrome or Edge, take a moment now to verify your version.