Description
Insufficient validation of untrusted input in SiteIsolation in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the SiteIsolation component of Google Chrome on Windows and is caused by insufficient validation of untrusted input. If an attacker has already compromised the renderer process, a specially crafted HTML page can be used to escape that process’s sandbox. By breaking out of the sandbox, the attacker could gain higher privileges within the browser or access system resources, potentially enabling code execution outside the browser sandbox. This weakness is an improper validation of untrusted input (CWE‑20, CWE‑1289).

Affected Systems

Google Chrome on Windows, versions prior to 149.0.7827.53, are affected. Version 149.0.7827.53 and newer no longer contain this flaw.

Risk and Exploitability

The CVSS score is 9.6 and the EPSS score is < 1%, but the vulnerability is still rated medium severity by Chromium. Exploitation requires pre‑existing compromise of a renderer process, limiting the attack surface. Because a direct remote exploit path is not provided, the probability of widespread use is moderate. The issue is not listed in the CISA KEV catalog. Updating to the latest stable release removes the vulnerability and Chrome’s automatic update mechanism ensures it is applied promptly.

Generated by OpenCVE AI on June 7, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 149.0.7827.54 or later on Windows.
  • Enable Chrome’s automatic update feature to receive future patches automatically.
  • If an upgrade cannot be performed immediately, monitor for anomalous renderer activity and consider disabling affected renderer processes or temporarily switching to an alternative browser configuration.

Generated by OpenCVE AI on June 7, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in SiteIsolation
Weaknesses CWE-1289
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Potential Sandbox Escape via Crafted HTML in SiteIsolation on Windows Chrome

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Potential Sandbox Escape via Crafted HTML in SiteIsolation on Windows Chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in SiteIsolation in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T18:47:18.481Z

Reserved: 2026-06-04T17:06:39.432Z

Link: CVE-2026-11056

cve-icon Vulnrichment

Updated: 2026-06-05T18:47:14.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:10.030

Modified: 2026-06-08T15:52:25.340

Link: CVE-2026-11056

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11056 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T14:30:16Z

Weaknesses
  • CWE-1289

    Improper Validation of Unsafe Equivalence in Input

  • CWE-20

    Improper Input Validation