CVE-2026-0905 in Chrome
Summary
by MITRE • 01/20/2026
Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/20/2026
The vulnerability identified as CVE-2026-0905 represents a significant security weakness in Google Chrome's network policy enforcement mechanisms. This issue affects versions prior to 144.0.7559.59 and stems from inadequate access controls within the browser's network logging functionality. The flaw allows attackers who have already compromised or gained access to network log files to potentially extract sensitive information that should otherwise remain protected. This represents a critical failure in the principle of least privilege and data protection within the browser's security architecture.
The technical implementation of this vulnerability involves insufficient validation and access controls when processing network log files within Chrome's security framework. When network logs are generated, they contain metadata and potentially sensitive information about network communications, including protocol details, connection patterns, and timing information that could reveal user behavior patterns or system configurations. The vulnerability occurs because Chrome's policy enforcement system fails to properly restrict access to this sensitive data within log files, allowing unauthorized extraction of information that should be protected by the browser's security model. This flaw falls under the category of insufficient policy enforcement as defined by CWE-693, which addresses inadequate protection mechanisms in security systems.
The operational impact of CVE-2026-0905 extends beyond simple information disclosure, as network log files often contain detailed information about user activities, network connections, and system interactions that could be leveraged for further attacks. An attacker who has already obtained access to a network log file can exploit this vulnerability to extract additional sensitive data that might not be directly visible in the log content itself. The medium severity classification reflects the potential for significant information leakage, particularly when network logs contain information about internal network structures, user behavior patterns, or system configurations that could be used for targeted attacks or social engineering. This vulnerability aligns with ATT&CK technique T1071.004 for application layer protocol and T1566 for credential access through network monitoring tools.
Mitigation strategies for this vulnerability require immediate patching of Chrome installations to version 144.0.7559.59 or later, which contains the necessary policy enforcement improvements. Organizations should also implement additional security measures including network log file access controls, regular security audits of network logging configurations, and monitoring for unauthorized access to sensitive log files. The fix addresses the root cause by strengthening the access control mechanisms within Chrome's network logging system, ensuring that sensitive information within network log files is properly protected according to the browser's security model. Security teams should also consider implementing network segmentation and access controls for network logging systems to prevent unauthorized access to potentially sensitive information, aligning with security frameworks such as NIST SP 800-53 controls for access control and information protection.