Cyber Resilience

CVE-2026-0905

Critical

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 12.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0905 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2026-0905 is an insufficient policy enforcement vulnerability in the Network component of Google Chrome prior to version 144.0.7559.59. It allows an attacker who obtains a network log file to potentially access sensitive information through that log file. The issue is also present in Chromium and has been assigned CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), with Chromium rating its severity as Medium and a CVSS v3.1 base score of 9.8 (Critical), reflecting network accessibility, low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.

An attacker can exploit this vulnerability by first obtaining a network log file from a targeted Chrome instance. No special privileges or user interaction are needed beyond acquiring the log, enabling remote exploitation over the network. Successful exploitation allows the attacker to extract potentially sensitive information contained in the log file.

Google addressed this vulnerability in the stable channel update for Chrome desktop, as detailed in the release notes at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html. Users should update to Chrome 144.0.7559.59 or later to mitigate the issue. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/465466773.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability exposes sensitive data in locally accessible network logs, directly facilitating extraction of information from the local system.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9981Same product: Apple Macos
CVE-2026-7357Same product: Apple Macos
CVE-2026-10018Same product: Apple Macos
CVE-2026-8000Same product: Apple Macos
CVE-2026-4675Same product: Apple Macos
CVE-2026-7349Same product: Apple Macos
CVE-2026-7347Same product: Apple Macos
CVE-2026-4460Same product: Apple Macos
CVE-2026-7342Same product: Apple Macos
CVE-2025-13226Same product: Apple Macos

Affected Assets

google
chrome
≤ 144.0.7559.59 · ≤ 144.0.7559.60

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-0905 by requiring timely flaw remediation through patching Chrome to version 144.0.7559.59 or later, fixing the insufficient policy enforcement in network logging.

prevent

Protects network log files from unauthorized access, preventing attackers from obtaining and extracting sensitive information exposed due to the policy enforcement flaw.

prevent

Ensures confidentiality of sensitive information at rest in Chrome network log files using access controls or encryption, blocking exposure if logs are obtained.

References