CVE-2026-8578 Google CVE debrief

Who should care

Security and IT teams managing Google Chrome on Linux should care most, especially where browser sessions may access sensitive cross-origin content. Incident responders should also note the renderer-compromise precondition when assessing exposure in compromise chains.

Technical summary

NVD classifies the flaw with CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, which matches a low-confidentiality-impact issue that still needs user interaction and has high attack complexity. The record ties the weakness to CWE-125 (out-of-bounds read) and notes Google Chrome on Linux versions prior to 148.0.7778.168 as vulnerable. The described impact is limited to cross-origin data disclosure; no integrity or availability impact is indicated in the supplied source.

Defensive priority

Medium

Recommended defensive actions

• Update Google Chrome on Linux to version 148.0.7778.168 or later.
• Prioritize patching managed Linux endpoints that handle sensitive browser-based data or SSO sessions.
• Verify deployed Chrome versions across fleets and confirm they are not below 148.0.7778.168.
• Track the vendor advisory and Chromium issue reference for any follow-up guidance or related fixes.

Evidence notes

The supplied NVD record states the vulnerability is in Google Chrome on Linux prior to 148.0.7778.168 and includes the CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N. The weakness is mapped to CWE-125. Official references supplied in the record include the Google Chrome stable-channel advisory and the Chromium issue page, both tagged by the source as vendor/permissions-related references.

Official resources