PatchSiren cyber security CVE debrief
CVE-2026-7915 Google CVE debrief
CVE-2026-7915 is a browser-security issue in Google Chrome described as insufficient data validation in DevTools that could let a remote attacker bypass navigation restrictions using a crafted HTML page. The CVE record was published on 2026-05-06 and later modified on 2026-05-10. Google’s advisory points to a fix in Chrome 148.0.7778.96, and the NVD entry classifies the issue as CVSS 4.3 (Medium) with user interaction required. Chromium’s own severity label is High, so defenders should treat this as a meaningful browser update even though the standardized CVSS score is lower.
- Vendor
- Product
- CVE-2026-7915
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-06
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-06
- Advisory updated
- 2026-05-10
Who should care
Security teams managing Google Chrome deployments, especially Android fleets; mobile device management administrators; enterprise users who open untrusted HTML/content in Chrome; and anyone responsible for keeping browser builds current.
Technical summary
The available record says the weakness is an insufficient data validation problem in Chrome DevTools that can be abused by a remote attacker to bypass navigation restrictions via a crafted HTML page. NVD lists the vulnerable Chrome version range as everything before 148.0.7778.96 and provides the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating network reachability, no privileges required, and user interaction required. NVD also marks Android itself as not vulnerable in the CPE data, which is worth noting alongside the CVE description that references Google Chrome on Android.
Defensive priority
Medium-high. The score is only 4.3, but the issue is remotely triggerable, requires user interaction, and has a vendor severity label of High. Prioritize normal browser patching timelines and fast-trace any managed Chrome Android estate that has not yet reached 148.0.7778.96 or later.
Recommended defensive actions
- Update Google Chrome to 148.0.7778.96 or later as soon as practical.
- Verify fleet inventory and confirm Android Chrome builds are on the fixed version.
- Use managed rollout controls to accelerate patching on high-risk user groups.
- Treat untrusted HTML content and unknown links as higher-risk until the patch is widely deployed.
- Track the linked Google release note for any follow-on clarification or superseding fixes.
Evidence notes
Sources provided include the CVE record and NVD detail entry, plus Google’s Chrome release advisory and a Chromium issue reference. The CVE description states the impact and fixed version. NVD metadata supplies the CVSS vector and version boundary before 148.0.7778.96. The source corpus also shows a platform-data inconsistency to keep in mind: the description refers to Chrome on Android, while the NVD CPE listing marks google:chrome as vulnerable and android as not vulnerable. The Chromium issue link is permissions-restricted, so no additional technical claims are made beyond the supplied record.
Official resources
-
CVE-2026-7915 CVE record
CVE.org
-
CVE-2026-7915 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Issue Tracking, Permissions Required
Publicly disclosed in the CVE record on 2026-05-06 and modified on 2026-05-10. No KEV listing was provided in the source corpus.