PatchSiren cyber security CVE debrief
CVE-2026-8565 Google CVE debrief
CVE-2026-8565 is a Medium-severity Chrome issue affecting Mac users running Google Chrome before 148.0.7778.168. According to the CVE description, an attacker who first convinces a user to install a malicious extension may be able to trigger UI spoofing through a crafted Chrome Extension. The CVSS v3.1 vector supplied by NVD is AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L, which reflects a user-interaction-dependent attack with limited confidentiality impact and no direct integrity impact.
- Vendor
- Product
- Chrome
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-21
Who should care
Organizations that allow browser extensions on managed Macs, security teams responsible for Chrome patching, and users who install extensions outside of tightly controlled enterprise approval processes should pay attention. Help desk, endpoint management, and browser governance teams should also review extension-installation controls and update deployment status.
Technical summary
The vulnerability is described as inappropriate implementation in Downloads in Google Chrome on Mac prior to 148.0.7778.168. The issue can be abused only after social engineering gets the user to install a malicious extension, and the result is UI spoofing rather than code execution. NVD lists CWE-451 (User Interface Misrepresentation of Critical Information) and assigns a CVSS 3.1 vector of AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L. The vendor advisory reference indicates a Chrome stable-channel update, and the version boundary in the CVE record identifies 148.0.7778.168 as the fixed release.
Defensive priority
Medium. This is not a KEV-listed issue and the available evidence does not indicate known ransomware use, but it still merits prompt patching because successful abuse depends on user interaction and can be used to mislead users through browser UI spoofing.
Recommended defensive actions
- Update Google Chrome on Mac to 148.0.7778.168 or later.
- Prioritize managed Mac fleets that permit extension installation.
- Review extension allowlists, approval workflows, and browser policy enforcement to reduce the chance of malicious extension installation.
- Educate users to avoid installing browser extensions from untrusted prompts, download pages, or unsolicited instructions.
- Verify deployed Chrome versions and confirm remediation across both standard and long-lived endpoints.
Evidence notes
The CVE record states: "Inappropriate implementation in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension." NVD metadata marks Google Chrome as vulnerable up to, but not including, 148.0.7778.168 and lists macOS as not vulnerable in the CPE data, which suggests the issue is specific to Chrome running on Mac rather than macOS itself. The reference set includes a Google Chrome stable-channel advisory and a Chromium issue tagged "Permissions Required."
Official resources
-
CVE-2026-8565 CVE record
CVE.org
-
CVE-2026-8565 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Permissions Required
The CVE was published on 2026-05-14 and last modified on 2026-05-21. The supplied source record and vendor references point to a Chrome-on-Mac issue fixed in 148.0.7778.168.