PatchSiren cyber security CVE debrief

CVE-2026-8587 Google CVE debrief

CVE-2026-8587 is a Chrome Extensions use-after-free issue affecting Google Chrome on Mac before version 148.0.7778.168. A user must be persuaded to install a malicious extension, after which a crafted extension can lead to arbitrary code execution. The CVSS 3.1 score is 8.8 (High), while Chromium’s severity label is Medium.

Vendor: Google
Product: Chrome
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-21
Advisory published: 2026-05-14
Advisory updated: 2026-05-21

Who should care

Security teams responsible for Chrome endpoint management, browser hardening, and extension allowlisting should treat this as important. It is especially relevant for Mac fleets running Chrome prior to 148.0.7778.168 and for organizations that permit user-installed extensions.

Technical summary

The supplied record describes a use-after-free in Chrome Extensions on Mac. The weakness is mapped to CWE-416. Attack preconditions include social engineering a user into installing a malicious extension and then getting that crafted extension to interact with the browser in a way that triggers memory corruption. The stated impact is arbitrary code execution. NVD lists the vulnerable Chrome CPE with an end version excluded at 148.0.7778.168, and the CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network-based delivery with required user interaction and potentially severe confidentiality, integrity, and availability impact.

Defensive priority

High

Recommended defensive actions

Update Google Chrome on Mac to 148.0.7778.168 or later.
Review and restrict extension installation paths, especially where users can add extensions without centralized approval.
Audit installed extensions and remove anything untrusted, unnecessary, or recently added outside normal process.
Use browser policy controls or extension allowlisting where available to limit extension execution.
Alert users to social-engineering risks around “helpful” or “required” extensions and to report unexpected extension prompts.
Validate endpoint fleet compliance against the fixed Chrome version and remediate lagging devices promptly.

Evidence notes

CVE publishedAt: 2026-05-14T20:17:21.083Z; modifiedAt: 2026-05-21T17:08:18.870Z. The source corpus identifies the issue in Google Chrome on Mac prior to 148.0.7778.168, references a Google Chrome stable channel advisory, and links a Chromium issue marked with permissions-required context. The NVD record shows the Chrome CPE as vulnerable up to but excluding 148.0.7778.168 and lists macOS itself as not vulnerable. No KEV entry is present in the supplied data.

Official resources

CVE-2026-8587 CVE record
CVE.org
CVE-2026-8587 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Source reference
[email protected] - Permissions Required

Officially disclosed through the CVE record on 2026-05-14, with an NVD modification on 2026-05-21. The vendor advisory in the source set ties remediation to Chrome 148.0.7778.168.