PAN-SA-2026-0007 Chromium and Prisma Browser: Monthly Vulnerability Update (May 2026)
Exploit Maturity
UNREPORTED
Response Effort
MODERATE
Recovery
USER
Value Density
DIFFUSE
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Automatable
NO
User Interaction
ACTIVE
Product Confidentiality
HIGH
Product Integrity
HIGH
Product Availability
HIGH
Privileges Required
NONE
Subsequent Confidentiality
NONE
Subsequent Integrity
NONE
Subsequent Availability
NONE
Description
Palo Alto Networks incorporated the following Chromium security fixes into our products:
- https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html
- https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html
- https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html
- https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
- https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
| CVE | Summary |
|---|---|
| CVE-2026-4439 | Out of bounds memory access in WebGL |
| CVE-2026-4440 | Out of bounds read and write in WebGL |
| CVE-2026-4441 | Use after free in Base |
| CVE-2026-4442 | Heap buffer overflow in CSS |
| CVE-2026-4443 | Heap buffer overflow in WebAudio |
| CVE-2026-4444 | Stack buffer overflow in WebRTC |
| CVE-2026-4445 | Use after free in WebRTC |
| CVE-2026-4446 | Use after free in WebRTC |
| CVE-2026-4447 | Inappropriate implementation in V8 |
| CVE-2026-4448 | Heap buffer overflow in ANGLE |
| CVE-2026-4449 | Use after free in Blink |
| CVE-2026-4450 | Out of bounds write in V8 |
| CVE-2026-4451 | Insufficient validation of untrusted input in Navigation |
| CVE-2026-4452 | Integer overflow in ANGLE |
| CVE-2026-4453 | Integer overflow in Dawn |
| CVE-2026-4454 | Use after free in Network |
| CVE-2026-4455 | Heap buffer overflow in PDFium |
| CVE-2026-4456 | Use after free in Digital Credentials API |
| CVE-2026-4457 | Type Confusion in V8 |
| CVE-2026-4458 | Use after free in Extensions |
| CVE-2026-4459 | Out of bounds read and write in WebAudio |
| CVE-2026-4460 | Out of bounds read in Skia |
| CVE-2026-4461 | Inappropriate implementation in V8 |
| CVE-2026-4462 | Out of bounds read in Blink |
| CVE-2026-4463 | Heap buffer overflow in WebRTC |
| CVE-2026-4464 | Integer overflow in ANGLE |
| CVE-2026-4673 | Heap buffer overflow in WebAudio |
| CVE-2026-4674 | Out of bounds read in CSS |
| CVE-2026-4675 | Heap buffer overflow in WebGL |
| CVE-2026-4676 | Use after free in Dawn |
| CVE-2026-4677 | Inappropriate implementation in WebAudio |
| CVE-2026-4678 | Use after free in WebGPU |
| CVE-2026-4679 | Integer overflow in Fonts |
| CVE-2026-4680 | Use after free in FedCM |
| CVE-2026-5272 | Heap buffer overflow in GPU |
| CVE-2026-5273 | Use after free in CSS |
| CVE-2026-5274 | Integer overflow in Codecs |
| CVE-2026-5275 | Heap buffer overflow in ANGLE |
| CVE-2026-5276 | Insufficient policy enforcement in WebUSB |
| CVE-2026-5277 | Integer overflow in ANGLE |
| CVE-2026-5278 | Use after free in Web MIDI |
| CVE-2026-5279 | Object corruption in V8 |
| CVE-2026-5280 | Use after free in WebCodecs |
| CVE-2026-5281 | Use after free in Dawn |
| CVE-2026-5282 | Out of bounds read in WebCodecs |
| CVE-2026-5283 | Inappropriate implementation in ANGLE |
| CVE-2026-5284 | Use after free in Dawn |
| CVE-2026-5285 | Use after free in WebGL |
| CVE-2026-5286 | Use after free in Dawn |
| CVE-2026-5287 | Use after free in PDF |
| CVE-2026-5288 | Use after free in WebView |
| CVE-2026-5289 | Use after free in Navigation |
| CVE-2026-5290 | Use after free in Compositing |
| CVE-2026-5291 | Inappropriate implementation in WebGL |
| CVE-2026-5292 | Out of bounds read in WebCodecs |
| CVE-2026-5876 | Side-channel information leakage in Navigation |
| CVE-2026-5881 | Policy bypass in LocalNetworkAccess |
| CVE-2026-5884 | Insufficient validation of untrusted input in Media |
| CVE-2026-5886 | Out of bounds read in WebAudio |
| CVE-2026-5893 | Race in V8 |
| CVE-2026-5909 | Integer overflow in Media |
| CVE-2026-5914 | Type Confusion in CSS |
| CVE-2026-5919 | Insufficient validation of untrusted input in WebSockets |
| CVE-2026-6305 | Heap buffer overflow in PDFium |
| CVE-2026-6361 | Heap buffer overflow in PDFium |
| CVE-2026-6921 | Race in GPU |
| CVE-2026-7343 | Use after free in Views |
| CVE-2026-7359 | Use after free in ANGLE |
| CVE-2026-7361 | Use after free in iOS |
| CVE-2026-7363 | Use after free in Canvas |
| CVE-2026-7981 | Out of bounds read in Codecs |
| CVE-2026-8018 | Insufficient policy enforcement in DevTools |
| CVE-2026-8022 | Inappropriate implementation in MHTML |
| CVE-2026-0237 | Prisma Browser: Improperly Restricted Automation Bridge Allows Security Bypass |
| CVE-2026-0236 | Prisma Browser: Code Injection Enables Security Controls Bypass |
| CVE-2026-0235 | Prisma Browser: Access and Data Rule Bypass |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Prisma Browser | < 146.10.7.154 | >= 148.6.3.96 |
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 6.1 / CVSS-B: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Solution
| CVE | Prisma Browser |
|---|---|
| CVE-2026-4439 | 146.10.7.154 |
| CVE-2026-4440 | 146.10.7.154 |
| CVE-2026-4441 | 146.10.7.154 |
| CVE-2026-4442 | 146.10.7.154 |
| CVE-2026-4443 | 146.10.7.154 |
| CVE-2026-4444 | 146.10.7.154 |
| CVE-2026-4445 | 146.10.7.154 |
| CVE-2026-4446 | 146.10.7.154 |
| CVE-2026-4447 | 146.10.7.154 |
| CVE-2026-4448 | 146.10.7.154 |
| CVE-2026-4449 | 146.10.7.154 |
| CVE-2026-4450 | 146.10.7.154 |
| CVE-2026-4451 | 146.10.7.154 |
| CVE-2026-4452 | 146.10.7.154 |
| CVE-2026-4453 | 146.10.7.154 |
| CVE-2026-4454 | 146.10.7.154 |
| CVE-2026-4455 | 146.10.7.154 |
| CVE-2026-4456 | 146.10.7.154 |
| CVE-2026-4457 | 146.10.7.154 |
| CVE-2026-4458 | 146.10.7.154 |
| CVE-2026-4459 | 146.10.7.154 |
| CVE-2026-4460 | 146.10.7.154 |
| CVE-2026-4461 | 146.10.7.154 |
| CVE-2026-4462 | 146.10.7.154 |
| CVE-2026-4463 | 146.10.7.154 |
| CVE-2026-4464 | 146.10.7.154 |
| CVE-2026-4673 | 146.16.6.165 |
| CVE-2026-4674 | 146.16.6.165 |
| CVE-2026-4675 | 146.16.6.165 |
| CVE-2026-4676 | 146.16.6.165 |
| CVE-2026-4677 | 146.16.6.165 |
| CVE-2026-4678 | 146.16.6.165 |
| CVE-2026-4679 | 146.16.6.165 |
| CVE-2026-4680 | 146.16.6.165 |
| CVE-2026-5272 | 146.16.9.178 |
| CVE-2026-5273 | 146.16.9.178 |
| CVE-2026-5274 | 146.16.9.178 |
| CVE-2026-5275 | 146.16.9.178 |
| CVE-2026-5276 | 146.16.9.178 |
| CVE-2026-5277 | 146.16.9.178 |
| CVE-2026-5278 | 146.16.9.178 |
| CVE-2026-5279 | 146.16.9.178 |
| CVE-2026-5280 | 146.16.9.178 |
| CVE-2026-5281 | 146.16.9.178 |
| CVE-2026-5282 | 146.16.9.178 |
| CVE-2026-5283 | 146.16.9.178 |
| CVE-2026-5284 | 146.16.9.178 |
| CVE-2026-5285 | 146.16.9.178 |
| CVE-2026-5286 | 146.16.9.178 |
| CVE-2026-5287 | 146.16.9.178 |
| CVE-2026-5288 | 146.16.9.178 |
| CVE-2026-5289 | 146.16.9.178 |
| CVE-2026-5290 | 146.16.9.178 |
| CVE-2026-5291 | 146.16.9.178 |
| CVE-2026-5292 | 146.16.9.178 |
| CVE-2026-5876 | 147.15.6.102 |
| CVE-2026-5881 | 147.15.6.102 |
| CVE-2026-5884 | 147.15.6.102 |
| CVE-2026-5886 | 147.15.6.102 |
| CVE-2026-5893 | 147.15.6.102 |
| CVE-2026-5909 | 147.15.6.102 |
| CVE-2026-5914 | 147.15.6.102 |
| CVE-2026-5919 | 147.15.6.102 |
| CVE-2026-6305 | 147.15.6.102 |
| CVE-2026-6361 | 147.15.6.102 |
| CVE-2026-6921 | 147.21.3.117 |
| CVE-2026-7343 | 147.28.2.138 |
| CVE-2026-7359 | 147.28.2.138 |
| CVE-2026-7361 | 147.28.2.138 |
| CVE-2026-7363 | 147.28.2.138 |
| CVE-2026-7981 | 148.6.3.96 |
| CVE-2026-8018 | 148.6.3.96 |
| CVE-2026-8022 | 148.6.3.96 |
| CVE-2026-0237 | 146.16.6.165 |
| CVE-2026-0236 | 146.16.6.165 |
| CVE-2026-0235 | 146.16.6.165 |
Workarounds and Mitigations
No known workarounds exist for this issue.
Acknowledgments
Palo Alto Networks thanks Tan Inn Fung, Yu Ann Ong, Zhang Bosen from the GovTech Cybersecurity Group for discovering and reporting CVE-2026-0235 and Cisors for discovering and reporting CVE-2026-TW-0236 and CVE-2026-0237 issues.
CPE Applicability
- cpe:2.3:a:palo_alto_networks:prisma_browser:*:*:*:*:*:*:*:* is vulnerable from (including)146.10.7 and up to (excluding)148.6.3.96
Timeline
Initial Publication