PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8586 Google CVE debrief

CVE-2026-8586 is a medium-severity local access control bypass in Google Chrome's Chromoting component, affecting versions prior to 148.0.7778.168. The vulnerability stems from an inappropriate implementation that allows a local attacker to bypass discretionary access control by leveraging a malicious file. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) indicates an attack vector adjacent to the target network, requiring user interaction but no privileges, with low impacts across confidentiality, integrity, and availability. The Chromium security team rated this as Medium severity. The issue was disclosed on May 14, 2026, with the NVD record subsequently analyzed and modified on May 18, 2026. Google addressed this in the stable channel update released May 12, 2026.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

Organizations with Chrome deployments enabling Chromoting/remote desktop functionality, particularly those with bring-your-own-device policies or unmanaged endpoints where local file execution risks are elevated. Security teams prioritizing local privilege escalation and access control bypass scenarios in browser-adjacent attack chains.

Technical summary

The vulnerability exists in Chromoting, Chrome's remote desktop component, where an inappropriate implementation allows local attackers to bypass discretionary access controls. The attack requires user interaction with a malicious file and originates from an adjacent network position. The underlying weakness is categorized as CWE-284 (Improper Access Control). The fix was released in Chrome 148.0.7778.168 on May 12, 2026.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Google Chrome to version 148.0.7778.168 or later to remediate this vulnerability
  • Review local file handling policies and restrict execution of untrusted files on systems running Chrome
  • Monitor for anomalous Chromoting service activity on endpoints, particularly file access patterns from adjacent network positions
  • Apply principle of least privilege to Chrome processes and Chromoting components where feasible
  • Validate Chrome update deployment across managed endpoints given the medium severity and local attack vector

Evidence notes

CVE description confirms local attack vector via malicious file. CVSS 3.1 vector AV:A indicates adjacent network attack surface. CPE criteria confirms affected versions prior to 148.0.7778.168. Chromium bug tracker reference indicates permissions-required access to full technical details.

Official resources

2026-05-14