CVE-2026-1220 — Insufficient Granularity of Access Control in Chromium

CWE-1220 — Insufficient Granularity of Access Control12 documents6 sources

Severity

6.5HIGH

No vector

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Chromium Google Chrome Chrome Msrc Microsoft Edge

Timeline

PublishedJan 20

Latest updateApr 15

Description

Stable Channel Update for Desktop CVE-2026-1220: Race in V8. Reported by @p1nky4745 on 2026-01-07 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel Severity: high

Affected Packages3 packages

▶debiandebian/chromium< chromium 144.0.7559.96-1~deb12u1 (bookworm)

▶msrcmsrc/microsoft_edge

▶googlegoogle/chrome_chrome

📋Vendor Advisories

Red Hat

argocd-image-updater: ArgoCD Image Updater: Cross-Namespace Privilege Escalation via insufficient namespace validation↗2026-04-15

▶

Red Hat

Vite: Vite: Information disclosure via WebSocket connection bypasses access control↗2026-04-07

▶

Red Hat

kernel: drm/xe: Open-code GGTT MMIO access protection↗2026-04-03

▶

Red Hat

github.com/nats-io/nats-server: NATS-Server: Unauthorized trace message redirection via message tracing headers↗2026-03-25

▶

Red Hat

Kibana: Kibana: Unauthorized system control via missing authorization↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1220 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶