CVE-2026-8520

Google · Chrome

A race condition exists within the Payments component of Google Chrome, which could allow a remote attacker to achieve unauthorized actions through manipulated browser processes.

Executive summary

A race condition vulnerability in Google Chrome’s Payments component could be leveraged by a remote attacker to bypass security checks and impact system integrity.

Vulnerability

This vulnerability involves a race condition (CWE-362) within the browser's Payments module. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) indicates that exploitation is highly dependent on timing and user interaction, but carries a high impact if successful, potentially affecting the integrity of browser-based transactions.

Business impact

Exploitation of race conditions in payment processing modules can lead to direct financial risk or unauthorized transaction manipulation. With a CVSS score of 8.3, the vulnerability is classified as high severity, and the potential for cross-site scripting or sandbox escape (implied by S:C) necessitates urgent attention.

Remediation

Immediate Action: Update all Google Chrome installations to version 148.0.7778.168 or later to resolve the race condition.

Proactive Monitoring: Review browser logs and transaction monitoring systems for anomalous behavior related to payment processing or checkout flows.

Compensating Controls: Implement strict Content Security Policies (CSP) and ensure that users are educated on the risks of interacting with untrusted web content during sensitive transactions.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Organizations should treat this vulnerability with high urgency, particularly those that utilize browser-based payment systems. Updating to the latest version of Chrome is the only effective way to eliminate the underlying race condition and secure the payment processing environment.