Description
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An extension input validation flaw in Google Chrome allows a remote attacker who has gained control of the renderer process to supply crafted HTML that bypasses the browser's same‑origin policy. This flaw, identified as a CWE‑20 weakness, enables the attacker to read from or write to data belonging to other origins, potentially exposing or manipulating sensitive user information. The vulnerability is classified as high severity by Chrome's security team, indicating a significant potential impact on confidentiality and integrity.

Affected Systems

The issue affects all installations of Google Chrome running versions earlier than 149.0.7827.53. Any user or system with this version of Chrome and the Chrome Extensions framework is exposed.

Risk and Exploitability

The exploit requires a compromised renderer process, which typically would be achieved via a malicious or manipulated extension or through a privileged web page that escalates to renderer control. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that large‑scale exploitation is not currently documented. However, the high severity rating and the requirement for renderer compromise imply that the attack could be carried out by an attacker with web‑browsing access combined with an extension or website that triggers renderer break. Monitoring for malicious extension behavior and ensuring the latest browser version are the primary protection measures.

Generated by OpenCVE AI on June 5, 2026 at 01:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later, as recommended by Chrome release notes
  • Verify that all extensions are from trusted sources and that no unapproved extensions are installed
  • Ensure Chrome is configured to block or warn about insecure content and regularly update the browser to mitigate newly discovered renderer‑process threats.

Generated by OpenCVE AI on June 5, 2026 at 01:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Insufficient Validation of Untrusted Input in Chrome Extensions Bypasses Same‑Origin Policy

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:03:35.646Z

Reserved: 2026-06-04T17:06:04.331Z

Link: CVE-2026-10912

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:53.213

Modified: 2026-06-04T23:16:53.213

Link: CVE-2026-10912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:45:27Z

Weaknesses