cve 2026 7937

CVE-2026-7937 is a medium-severity Chromium vulnerability disclosed by Google and Microsoft on May 6, 2026. The flaw affects Chrome's DevTools policy enforcement in versions prior to Chrome 148.0.7778.96, allowing a malicious extension to bypass navigation restrictions after user installation on Windows, macOS, or Linux. Although the CVSS score is low and the exploit chain requires user interaction, the bug highlights a critical security boundary: the trust between a user and an installed extension. Discussions on WindowsForum emphasize that this seemingly minor flaw should not be dismissed as routine browser noise, as it underscores the importance of extension permissions and browser policy enforcement in modern desktop environments.