CVE-2026-8562 Apple CVE debrief

Who should care

Organizations and individuals running Google Chrome versions earlier than 148.0.7778.168 should care, especially managed desktop fleets and users who routinely browse untrusted content. Security teams responsible for browser patching and update compliance should prioritize validation of the fixed release.

Technical summary

NVD describes this as a side-channel information leakage flaw in Navigation in Google Chrome prior to 148.0.7778.168. The attacker model is remote, and the attack is delivered through a crafted HTML page that can leak cross-origin data. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, and the associated weakness is CWE-1300.

Defensive priority

Medium. The issue can expose limited confidentiality data and does require user interaction, but it affects a widely deployed browser and is remediated by updating to the fixed Chrome release.

Recommended defensive actions

• Update Google Chrome to version 148.0.7778.168 or later.
• Verify that managed endpoints are receiving and applying the browser update.
• Prioritize patching on systems that regularly access untrusted or externally supplied web content.
• Confirm browser version compliance in enterprise asset and endpoint management tools.

Evidence notes

The supplied NVD record marks Google Chrome as vulnerable only up to version 148.0.7778.168 and cites the Chromium stable channel update plus Chromium issue 40057534. The record's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, with CWE-1300 listed as the weakness. The supplied vendor metadata is inconsistent: the vendor field says Apple, but the vulnerability references and affected CPE clearly point to Google Chrome. Apple/macOS/Linux/Windows CPE entries in the record are marked not vulnerable.

Official resources