CVE-2026-10997: Chrome Extension Policy Bypass Vulnerability (149.0.7827.53)
Google Chrome versions before 149.0.7827.53 contain a flaw in how it enforces policies on extensions. An attacker could craft a malicious extension that, if installed by a user, would be able to bypass access controls that should normally restrict what the extension can do. This is a user-assisted attack—the victim must actively install the extension—but once installed, the extension gains unintended capabilities.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-732
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10997 stems from insufficient policy enforcement in Chrome's extension subsystem. The vulnerability allows a malicious extension to circumvent discretionary access control mechanisms through a crafted extension manifest or payload. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) reflects network-based delivery with user interaction required, high integrity impact, and no confidentiality or availability impact. The underlying weakness is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource).
Business impact
An attacker exploiting this vulnerability could modify or inject content, manipulate user data within the browser, or alter security-sensitive settings without appropriate permission warnings. Organizations relying on Chrome extension policies for security posture or compliance enforcement may find those controls bypassed. The attack requires user trust (convincing installation), but once established, the damage scope includes integrity of browsing sessions and potentially sensitive data manipulation.
Affected systems
All Google Chrome installations prior to version 149.0.7827.53 are affected. This includes Chrome on Windows, macOS, Linux, and Android platforms where extensions are supported. Users of Chromium-based browsers that incorporate the vulnerable code may also be affected; verify with your specific vendor.
Exploitability
Exploitability is straightforward from a technical standpoint but limited by social engineering requirements. An attacker must persuade the user to install a malicious extension, which may occur through deceptive packaging, bundling with legitimate tools, or supply chain compromise of an extension repository. Once installed, no further user action is needed for the vulnerability to be exploitable.
Remediation
Update to Google Chrome 149.0.7827.53 or later. Organizations should enforce automatic updates where feasible and audit currently installed extensions for suspicious behavior or unusual permission requests. Review extension allow-lists and consider restricting extension installation to curated catalogs.
Patch guidance
Apply Chrome version 149.0.7827.53 or later through standard update mechanisms. Most users can enable automatic updates in Chrome settings (Settings > About > Check for Updates). Enterprise deployments should use Google Admin Console or equivalent management tools to push and verify the patch across endpoints. Verify patch application by checking Settings > About > Google Chrome to confirm the installed version.
Detection guidance
Monitor for extensions installed outside official channels or with unusual permissions (particularly those requesting broad content script access, all-hosts permissions, or access to sensitive APIs). Behavioral indicators include unexplained network traffic from the browser process, unintended content injection, or changes to browser settings. Log extension installation events and periodically audit the extension list against organizational policy.
Why prioritize this
Although rated MEDIUM (CVSS 6.5), this vulnerability merits prompt attention because it directly undermines browser security policy enforcement—a foundational control for many organizations. The integrity impact is high, and the attack surface includes any employee who may be socially engineered. Prioritization should be HIGH in security-conscious environments and MEDIUM elsewhere.
Risk score, explained
The CVSS 6.5 MEDIUM rating reflects the requirement for user interaction (lowering severity) balanced against high integrity impact and low attack complexity. The vector shows no network-level authentication or privilege escalation needed, but the extension must reach the user's system and be installed. The lack of confidentiality or availability impact prevents a higher score, though integrity compromise of the browser environment is significant.
Frequently asked questions
Do I need to do anything if I have automatic updates enabled?
No. If Chrome is set to update automatically (the default), you will receive version 149.0.7827.53 automatically and do not need manual action. Verify the update applied by visiting Settings > About > Google Chrome.
Are Chromium-based browsers like Edge, Brave, or Vivaldi affected?
Potentially, if they haven't yet merged the upstream fix. Check your browser vendor's security advisory and apply their corresponding patch. Do not assume they have patched automatically.
What if I've already installed a suspicious extension?
Remove it immediately: Open Settings > Extensions, identify the extension, click Remove, then run a full antivirus/malware scan. If the extension modified sensitive settings, review your browser settings and password manager for unauthorized changes.
How can I prevent malicious extension installation in the future?
Only install extensions from the official Chrome Web Store, verify the developer reputation and user reviews, check the requested permissions before installing, and consider using extension management policies to restrict what can be installed on corporate devices.
This analysis is based on official CVE data and vendor information available as of the publication date. No proof-of-concept or exploit code is provided. Organizations should verify patch applicability within their environment and test updates in non-production systems before broad deployment. For the most current advisory, consult Google's official Chrome Security Release Notes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2021-4480HIGHDräger Protector Software Local Privilege Escalation Vulnerability
- CVE-2021-4481HIGHDräger Protector Software Local Privilege Escalation Vulnerability
- CVE-2026-10591HIGHAmazon Kiro IDE Remote Code Execution via Unsafe File Write
- CVE-2026-10840HIGHOpenShift Pipelines Operator RBAC Misconfiguration – Unauthorized Workload & Certificate Access
- CVE-2026-27788HIGHServerView Agents Windows Privilege Escalation Vulnerability
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability