CVE-2026-15108: Chrome Extensions API Vulnerability

CVE-2026-15108: Chrome Extensions API Vulnerability

Google Chrome extensions add functionality to the browser by interacting with its internal APIs. However, because extensions operate with elevated access to the browser via the Chrome Extensions API, any vulnerability in that API can expose users to security risks. 

CVE-2026-15108 is a vulnerability in the Google Chrome Extensions API caused by an integer overflow (CWE-190). This flaw causes incorrect memory boundary calculations, which can result in an out-of-bounds memory read. An attacker can exploit this by distributing a malicious Chrome extension that triggers the flaw when installed. 

What is CVE-2026-15108 

CVE-2026-15108 is an integer overflow vulnerability in the Google Chrome Extensions API. During certain memory operations, an integer overflow causes incorrect memory boundary calculations, which can lead to out-of-bounds memory access. If a user installs a malicious Chrome extension that triggers this flaw, an attacker can access unexpected regions of browser memory. 

Because exploitation requires the user to install a malicious extension, keeping Chrome updated and only installing extensions from trusted sources are the most effective ways to stay protected. 

What is Google Chrome Extensions API 

The Google Chrome Extensions API is a set of programming interfaces that allows developers to build browser extensions using Chrome’s core features, including tabs, bookmarks, local storage, notifications, and downloads. Extensions use these APIs to interact with web pages and browser functionality within Chrome’s security architecture. 

Because extensions require elevated privileges to interact with the browser, any vulnerability in the Extensions API can introduce significant security risks for Chrome users. 

Understanding Integer Overflow (CWE-190) 

An Integer Overflow (CWE-190) occurs when an arithmetic calculation produces a value too large for its integer data type to hold. Instead of storing the correct result, the value wraps around to an unexpected number, causing incorrect memory calculations. Attackers can exploit this to trigger unexpected application behaviour or gain access to memory regions outside the intended boundaries. 

How Does CVE-2026-15108 Work 

Exploitation requires an attacker to distribute a specially crafted Chrome extension that targets the Extensions API. When the extension is installed and executes certain operations, an integer overflow occurs, causing the browser to miscalculate memory boundaries. This leads to an out-of-bounds memory read, which can expose sensitive data from the browser’s process memory. 

Affected Google Chrome Versions 

CVE-2026-15108 affects all Google Chrome versions before 150.0.7871.115. Users running an affected version are at risk if they install a malicious extension that exploits this vulnerability. The flaw has been patched in Google Chrome 150.0.7871.115 and later. Keeping Chrome updated and installing extensions only from verified sources is the most effective protection. 

CVSS Score and Severity of CVE-2026-15108 

CVE-2026-15108 has a CVSS v3.1 score of 4.3, classified as Medium severity. This score reflects that exploitation requires user interaction — specifically, installing a malicious extension. However, Chromium’s internal security team rates this vulnerability as High severity due to the potential for sensitive memory exposure. The difference between the two ratings reflects the user interaction requirement rather than the severity of the impact itself. 

Impact of CVE-2026-15108 

If exploited, CVE-2026-15108 allows an attacker to read sensitive data from the browser’s process memory through an out-of-bounds memory read. Leaked memory may contain authentication tokens, session data, or other sensitive information that could be used to facilitate further attacks. This vulnerability does not allow remote code execution. 

How to Detect CVE-2026-15108 

The following methods can help identify whether managed devices are running a vulnerable version of Chrome or have suspicious extensions installed. 

To detect this vulnerability or suspicious activity in an enterprise environment 

Audit Browser Deployment Versions  

Run vulnerability scanners or system inventory tools (like Microsoft Intune, Nexpose, or Nessus) to identify endpoints running Google Chrome versions older than 150.0.7871.115.  

Monitor Installed Extension Manifests 

Check the inventory of installed Chrome extensions across managed devices. Look for extensions that are sideloaded, installed from untrusted developer channels, or missing from the official Chrome Web Store. 

Analyze Endpoint Detection and Response (EDR) Logs 

Monitor browser process behaviors. Pay attention to anomalies where specific extension processes attempt to access unauthorized memory spaces, cause frequent browser crashes, or leak internal browser state data. 

How to Fix CVE-2026-15108 

Because this vulnerability exists within the fundamental internal logic of the Chrome browser’s Extensions API framework, it can only be fixed by updating the core application.  

Upgrade Google Chrome Immediately 

Roll out Google Chrome version 150.0.7871.115 or later for Windows and macOS, and version 150.0.7871.114 or later for Linux. Users can manually update by opening Chrome and navigating to Settings -> About Chrome to trigger the automated installer and relaunch the application.  

Enforce Extension Policies via GPO/MDM  

Until systems are fully patched, use Group Policy Objects (GPO) or Mobile Device Management (MDM) platforms to strictly limit extension usage. Restrict standard users from sideloading unpacked extensions or installing extensions outside of a strictly curated enterprise allowlist. 

Educate Users on Social Engineering Risks  

Because this attack relies entirely on user interaction, educating users is an important defence. Users should never install browser extensions prompted by unsolicited pop-ups, suspicious emails, or unverified websites. Extensions should only be installed from the official Chrome Web Store and from trusted publishers. 

Alongside patching and updating, the following development and configuration practices help prevent integer overflow vulnerabilities more broadly. 

Integer overflows (CWE-190) happen when an arithmetic operation attempts to create a numeric value that is too large or too small to fit within the memory space allocated for it. This often causes numbers to wrap around to zero or negative values, confusing buffer allocation logic and leading to memory flaws like out-of-bounds reads or writes.  

 

Validate all inputs — including values from users, API calls, and size computations — to ensure they fall within acceptable ranges before any memory operations are performed. Safe arithmetic libraries such as Chromium’s Checked Numeric library can detect and prevent overflow conditions during calculations. 

Compiler options such as -fsanitize=integer in Clang can catch integer overflow issues during testing. Regular static analysis (SAST) and strong type checking help identify unsafe calculations, buffer size mismatches, and data truncations before software is released. 

Frequently Asked Questions (FAQs)

A. No. The root flaw resides specifically within the Extensions API layer. A user must explicitly download and install a crafted extension to trigger the memory vulnerability.  

A. An out-of-bounds read lets an attacker access data stored in adjacent memory locations that should be off-limits. This can expose sensitive records like active authentication tokens, encryption keys, or personal browsing data.  

A. Yes, any web browser relying on the core Chromium open-source project—such as Microsoft Edge, Brave, Vivaldi, or Opera—shares the same base Extensions API architecture and requires updates from their respective vendors. 

Conclusion 

CVE-2026-15108 is a reminder that vulnerabilities in browser extension APIs can expose sensitive memory even without enabling remote code execution. Because exploitation requires installing a malicious extension, users who keep Chrome updated to version 150.0.7871.115 or later and restrict extensions to trusted sources are effectively protected against this vulnerability.