An inappropriate implementation of Chrome’s Site Isolation feature permitted a remote attacker who had already compromised the renderer process to bypass isolation using a specially crafted HTML page. The flaw fundamentally undermines the browser’s enforced separation between sites, exposing the possibility that an attacker could access data or perform actions across site boundaries that the isolation is intended to prevent. The weakness corresponds to an improper access control violation, allowing elevation of privilege within the browser’s process model.

Google Chrome is affected, specifically any installations prior to version 149.0.7827.53 running on desktop platforms. No specific operating system or architecture exclusions are documented; the issue applies broadly to the stable channel of Chrome before the listed patch.

The CVSS score is 5.3, a medium severity score, and the EPSS score is < 1%, indicating a low but non‑zero exploitation likelihood. The vulnerability is not yet catalogued in CISA’s KEV list. The likely attack vector requires an attacker who can corrupt the renderer process—this may arise from a malicious website or plugin—then deliver a crafted HTML page to trick the browser into breaking out of its isolation constraints. Once bypassed, the attacker could potentially read or modify site data across domains, compromising confidentiality and integrity for the user session.