CVE-2026-8572 Google CVE debrief

Who should care

Organizations with Android device fleets running Chrome; mobile security teams; developers implementing cross-origin policies in WebView or Chromium-based applications

Technical summary

The vulnerability stems from insufficient policy enforcement in Chrome's Network component specifically on Android. A threat actor who has already achieved renderer process compromise could leverage this flaw to extract cross-origin data. The attack requires: (1) prior renderer compromise, (2) user interaction, and (3) crafted HTML delivery. The fix in Chrome 148.0.7778.168 strengthens policy enforcement boundaries. The CWE-693 classification (Protection Mechanism Failure) aligns with the policy enforcement gap description.

Defensive priority

routine

Recommended defensive actions

• Update Google Chrome on Android devices to version 148.0.7778.168 or later
• Monitor for stable channel security updates via official Chrome release channels
• Review application sandboxing and renderer process isolation as defense-in-depth
• No emergency action required given Low CVSS severity and absence of KEV listing

Evidence notes

The CVE description and NVD record confirm the vulnerability affects Google Chrome on Android prior to version 148.0.7778.168. The Chromium issue tracker reference indicates restricted access (Permissions Required), limiting public technical detail. CVSS 3.1 score of 3.1 (Low) reflects the attack complexity requirements: network access, high attack complexity, and user interaction needed.

Official resources