chrome cve 2026 7958

Chrome CVE-2026-7958 is a medium-severity vulnerability in Google Chrome's ServiceWorker component, assigned on May 6, 2026, and fixed in Chrome 148.0.7778.96. The flaw allows a malicious extension to perform universal cross-site scripting (UXSS) by injecting arbitrary scripts or HTML after a user installs the extension. Unlike typical browser emergencies, this issue requires user interaction to install the extension and has no confirmed in-the-wild exploitation or standalone remote code execution. For Windows administrators, the vulnerability underscores that extension governance is now a critical part of browser patch management, as the risk lies in the gap between user-installed extensions and the browser's responsibility to contain them.