📄 Description (English)
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium)
🤖 AI Executive Summary
CVE-2026-10997 is a medium-severity vulnerability in Google Chrome prior to version 149.0.7827.53 that allows attackers to bypass discretionary access controls through malicious extensions. The vulnerability stems from insufficient policy enforcement in the Chrome extension system, requiring user interaction to install a malicious extension. While currently unpatched, the lack of public exploits and requirement for user action reduce immediate risk, though organizations should prioritize upgrading to Chrome 149.0.7827.53 or later.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 05:04
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses moderate risk to Saudi organizations across multiple sectors. Banking and financial institutions (SAMA-regulated) face elevated risk if employees use Chrome for accessing banking systems or handling sensitive financial data. Government entities and critical infrastructure operators (NCA oversight) could be targeted through supply chain attacks or social engineering. Telecommunications companies (STC, Mobily) and energy sector organizations (ARAMCO, SEC) may experience unauthorized access to sensitive systems if employees install malicious extensions. Healthcare organizations and educational institutions using Chrome for administrative functions are also at risk. The impact is primarily limited to organizations where users have administrative privileges to install extensions.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Critical Infrastructure (Energy, Water, Utilities)
Telecommunications
Healthcare
Education
Defense and Security
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
5.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all Chrome installations across the organization and identify version numbers
2. Disable or restrict Chrome extension installation capabilities via Group Policy (Windows) or Mobile Device Management (MDM) for iOS/Android
3. Implement application whitelisting for Chrome extensions using Chrome Enterprise policies
4. Conduct user awareness training on risks of installing untrusted extensions
Patching Guidance:
1. Upgrade Google Chrome to version 149.0.7827.53 or later immediately
2. Enable automatic Chrome updates via Group Policy: Set 'Update policy override' to 'Always allow updates'
3. For managed environments, deploy updates through Chrome Enterprise or MDM solutions
4. Verify successful patching by checking chrome://version in all instances
Compensating Controls (if immediate patching not possible):
1. Restrict extension installation to administrator-approved list only
2. Disable user ability to install extensions via Group Policy: 'ExtensionInstallBlocklist' = '*'
3. Monitor Chrome extension installations using endpoint detection and response (EDR) tools
4. Implement network-level controls to block malicious extension communication
Detection Rules:
1. Monitor for unauthorized Chrome extension installations in event logs
2. Alert on any extension requesting excessive permissions (file system, network access)
3. Track Chrome process behavior for unusual file access patterns
4. Monitor for extensions attempting to modify security policies or access controls
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع تثبيتات Chrome عبر المنظمة وتحديد أرقام الإصدارات
2. قم بتعطيل أو تقييد قدرات تثبيت ملحقات Chrome عبر Group Policy (Windows) أو Mobile Device Management (MDM) لـ iOS/Android
3. تطبيق القائمة البيضاء للتطبيقات لملحقات Chrome باستخدام سياسات Chrome Enterprise
4. إجراء تدريب التوعية بالمخاطر على مخاطر تثبيت ملحقات غير موثوقة
إرشادات التصحيح:
1. قم بترقية Google Chrome إلى الإصدار 149.0.7827.53 أو أحدث فوراً
2. تفعيل تحديثات Chrome التلقائية عبر Group Policy: اضبط 'Update policy override' على 'Always allow updates'
3. للبيئات المدارة، قم بنشر التحديثات من خلال Chrome Enterprise أو حلول MDM
4. تحقق من نجاح التصحيح بفحص chrome://version في جميع الحالات
عناصر التحكم البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. قصر تثبيت الملحقات على قائمة معتمدة من المسؤول فقط
2. تعطيل قدرة المستخدم على تثبيت الملحقات عبر Group Policy: 'ExtensionInstallBlocklist' = '*'
3. مراقبة تثبيتات ملحقات Chrome باستخدام أدوات كشف الاستجابة للنقاط النهائية (EDR)
4. تطبيق عناصر التحكم على مستوى الشبكة لحظر اتصالات الملحقات الضارة
قواعد الكشف:
1. مراقبة تثبيتات ملحقات Chrome غير المصرح بها في سجلات الأحداث
2. تنبيه على أي ملحق يطلب أذونات مفرطة (نظام الملفات، الوصول إلى الشبكة)
3. تتبع سلوك عملية Chrome للأنماط غير المعتادة في الوصول إلى الملفات
4. مراقبة الملحقات التي تحاول تعديل سياسات الأمان أو عناصر التحكم في الوصول
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices
A.8.2.1 - Privileged access rights
A.8.3.1 - Information access restriction
🔵 SAMA CSF
ID.AM-2 - Software platforms and applications are catalogued
PR.AC-1 - Identities and credentials are issued and managed
PR.AC-4 - Access rights are managed
DE.CM-1 - The network is monitored for unauthorized connections
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices
A.8.2.1 - Privileged access rights
A.8.3.1 - Access control
A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
Requirement 2.1 - Always change vendor-supplied defaults
Requirement 6.2 - Ensure security patches are installed
Requirement 8.1 - Assign unique ID to each person with access
📦 Affected Products / CPE 1 entries
google:chrome