Description
Inappropriate implementation in Site Isolation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation of Chrome’s Site Isolation feature permitted a remote attacker who had already compromised the renderer process to bypass isolation using a specially crafted HTML page. The flaw fundamentally undermines the browser’s enforced separation between sites, exposing the possibility that an attacker could access data or perform actions across site boundaries that the isolation is intended to prevent. The weakness corresponds to an improper access control violation, allowing elevation of privilege within the browser’s process model.

Affected Systems

Google Chrome is affected, specifically any installations prior to version 149.0.7827.53 running on desktop platforms. No specific operating system or architecture exclusions are documented; the issue applies broadly to the stable channel of Chrome before the listed patch.

Risk and Exploitability

The CVSS score is 5.3, a medium severity score, and the EPSS score is < 1%, indicating a low but non-zero exploitation likelihood. The vulnerability is not yet catalogued in CISA’s KEV list. The likely attack vector requires an attacker who can corrupt the renderer process—this may arise from a malicious website or plugin—then deliver a crafted HTML page to trick the browser into breaking out of its isolation constraints. Once bypassed, the attacker could potentially read or modify site data across domains, compromising confidentiality and integrity for the user session.

Generated by OpenCVE AI on June 7, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later using Google’s update channel or by downloading the latest stable release.
  • Remove or disable third‑party extensions that have the ability to execute scripts in the renderer process, especially those handling untrusted content, to reduce the chance of renderer compromise.
  • If a patch is not available immediately, consider temporarily disabling experimental Site Isolation features and limit browsing to trusted sites only until the vulnerability is fixed.

Generated by OpenCVE AI on June 7, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Site Isolation Bypass via Renderer Compromise chromium-browser: Insufficient policy enforcement in Site Isolation
Weaknesses CWE-501
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Chrome Site Isolation Bypass via Renderer Compromise

Fri, 05 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Chrome Site Isolation Bypass via Crafted HTML
Weaknesses CWE-285

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Chrome Site Isolation Bypass via Crafted HTML
Weaknesses CWE-285

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Site Isolation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T17:05:44.035Z

Reserved: 2026-06-04T17:10:38.120Z

Link: CVE-2026-11174

cve-icon Vulnrichment

Updated: 2026-06-05T17:03:06.119Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:24.233

Modified: 2026-06-08T14:21:31.960

Link: CVE-2026-11174

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11174 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:00:04Z

Weaknesses
  • CWE-501

    Trust Boundary Violation

  • CWE-693

    Protection Mechanism Failure