CVE-2026-8566 Google CVE debrief

Who should care

Android users who conduct financial transactions through Chrome browser; mobile application security teams; organizations with BYOD policies allowing Chrome on Android devices; payment processing security teams monitoring browser-based attack vectors

Technical summary

The vulnerability exists in the Payments component of Google Chrome on Android, where improper enforcement of security policies allows a remote attacker to bypass discretionary access controls. The attack requires user interaction (e.g., visiting a malicious HTML page) but does not require authentication or elevated privileges. Successful exploitation could allow unauthorized actions within the payment context, though confidentiality and availability impacts are not affected per CVSS scoring. The fix was released in Chrome stable channel version 148.0.7778.168.

Defensive priority

medium

Recommended defensive actions

• Update Google Chrome on Android to version 148.0.7778.168 or later
• Monitor for unexpected payment prompts or redirects while browsing
• Review payment-related permissions for installed web applications
• Apply security updates promptly as they become available through Google Play

Evidence notes

CVE description confirms insufficient policy enforcement in Payments component. CPE data indicates affected product as Google Chrome on Android with version bound excluding 148.0.7778.168. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N supports network attack vector with low attack complexity, no privileges required, but user interaction needed. CWE-284 (Improper Access Control) identified as secondary weakness.

Official resources