CVE-2026-10938 - Vulnerability Details

- chromium-browser: Insufficient validation of untrusted input in Input

Description

Inappropriate implementation in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Published: 2026-06-04

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from an inappropriate implementation in the input handling of Google Chrome versions older than 149.0.7827.53. An attacker who has already compromised the renderer process can craft a malicious HTML page that overrides the browser's site isolation feature. The flaw is identified as input validation error (CWE‑20) and untrusted input processing issue (CWE‑501) and is rated as high severity by Chromium security.

Affected Systems

Affected systems are Google Chrome browsers that run on the stable channel, specifically all releases before 149.0.7827.53. The issue exists across all operating system variants supported by Chrome, as the renderer component is shared. No version numbers beyond the affected threshold are known to be vulnerable.

Risk and Exploitability

The attack requires a foothold in the renderer process, which typically demands a prior compromise or advanced local exploitation. The EPSS score of < 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not yet been documented. Nevertheless, the high severity rating with a CVSS score of 8.1 and the fact that bypassing site isolation can expose private data or allow cross-site data leaks suggest that the risk warrants prompt attention when the necessary update is available.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`149.0.7827.53`	affected	< 149.0.7827.53

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[149.0.7827.53,149.0.7827.53)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 149.0.7827.53 or newer
Enable Strict Site Isolation via chrome://flags to enforce isolation boundaries
Configure Chrome to receive automatic updates and monitor for any signs of renderer compromise

Generated by OpenCVE AI on June 7, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6325-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0035.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/502681591
https://nvd.nist.gov/vuln/detail/CVE-2026-10938
https://www.cve.org/CVERecord?id=CVE-2026-10938

History

Sun, 07 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Insufficient validation of untrusted input in Input
Weaknesses		CWE-501
References		https://nvd.nist.gov/vuln/detail/CVE-2026-10938 https://www.cve.org/CVERecord?id=CVE-2026-10938
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 05 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title	Chrome Renderer Process Attack Bypasses Site Isolation

Fri, 05 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:google:chrome::::::::
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 05 Jun 2026 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 05 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Title		Chrome Renderer Process Attack Bypasses Site Isolation

Thu, 04 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Inappropriate implementation in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502681591

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-06-04T23:03:46.935Z

Updated: 2026-06-05T19:20:17.501Z

Reserved: 2026-06-04T17:06:10.789Z

Link: CVE-2026-10938

Vulnrichment

Updated: 2026-06-05T19:20:07.991Z

NVD

Status : Analyzed

Published: 2026-06-04T23:16:56.337

Modified: 2026-06-05T20:21:48.937

Link: CVE-2026-10938

Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10938 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-07T13:45:07Z

Weaknesses

CWE-20
Improper Input Validation
CWE-501
Trust Boundary Violation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object