Description
Inappropriate implementation in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from an inappropriate implementation in the input handling of Google Chrome versions older than 149.0.7827.53. An attacker who has already compromised the renderer process can craft a malicious HTML page that overrides the browser's site isolation feature. The flaw is identified as input validation error (CWE‑20) and is rated as high severity by Chromium security.

Affected Systems

Affected systems are Google Chrome browsers that run on the stable channel, specifically all releases before 149.0.7827.53. The issue exists across all operating system variants supported by Chrome, as the renderer component is shared. No version numbers beyond the affected threshold are known to be vulnerable.

Risk and Exploitability

The attack requires a foothold in the renderer process, which typically demands a prior compromise or advanced local exploitation. Exact EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not yet been documented. Nevertheless, the high severity rating and the fact that bypassing site isolation can expose private data or allow cross-site data leaks suggest that the risk warrants prompt attention when the necessary update is available.

Generated by OpenCVE AI on June 5, 2026 at 01:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or newer
  • Enable Strict Site Isolation via chrome://flags to enforce isolation boundaries
  • Configure Chrome to receive automatic updates and monitor for any signs of renderer compromise

Generated by OpenCVE AI on June 5, 2026 at 01:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Chrome Renderer Process Attack Bypasses Site Isolation

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:03:46.935Z

Reserved: 2026-06-04T17:06:10.789Z

Link: CVE-2026-10938

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:56.337

Modified: 2026-06-04T23:16:56.337

Link: CVE-2026-10938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:45:29Z

Weaknesses