CVE-2026-0905
Published: 20 January 2026
Summary
CVE-2026-0905 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and SC-28 (Protection of Information at Rest).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-0905 by requiring timely flaw remediation through patching Chrome to version 144.0.7559.59 or later, fixing the insufficient policy enforcement in network logging.
Protects network log files from unauthorized access, preventing attackers from obtaining and extracting sensitive information exposed due to the policy enforcement flaw.
Ensures confidentiality of sensitive information at rest in Chrome network log files using access controls or encryption, blocking exposure if logs are obtained.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes sensitive data in locally accessible network logs, directly facilitating extraction of information from the local system.
NVD Description
Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2026-0905 is an insufficient policy enforcement vulnerability in the Network component of Google Chrome prior to version 144.0.7559.59. It allows an attacker who obtains a network log file to potentially access sensitive information through that log file. The issue is also present in Chromium and has been assigned CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), with Chromium rating its severity as Medium and a CVSS v3.1 base score of 9.8 (Critical), reflecting network accessibility, low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.
An attacker can exploit this vulnerability by first obtaining a network log file from a targeted Chrome instance. No special privileges or user interaction are needed beyond acquiring the log, enabling remote exploitation over the network. Successful exploitation allows the attacker to extract potentially sensitive information contained in the log file.
Google addressed this vulnerability in the stable channel update for Chrome desktop, as detailed in the release notes at https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html. Users should update to Chrome 144.0.7559.59 or later to mitigate the issue. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/465466773.
Details
- CWE(s)