CVE-2026-11179 - Vulnerability Details

- chromium-browser: Inappropriate implementation in ORB

Description

Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Published: 2026-06-04

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the ORB component of Google Chrome prior to 149.0.7827.53, an inappropriate implementation allows a remote attacker to craft an HTML page that bypasses the browser’s site isolation safeguards. The vulnerability creates a gap in the separation that Chrome enforces between distinct web origins so that, once bypassed, the attacker could potentially access information or resources from other isolated contexts. Based on the description, it is inferred that this breach could enable the attacker to exploit data or functionality that was intended to be segregated by site isolation.

Affected Systems

Google Chrome for desktop operating systems running any version before 149.0.7827.53. Users on the stable channel who have not yet installed the latest update are at risk.

Risk and Exploitability

The likely attack vector is remote; the attacker must host or serve a specially crafted HTML page that the victim will open. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating a low or uncertain likelihood of exploitation. The CVSS score is 8.8, indicating a high severity. The potential impact of bypassing site isolation remains significant, as it could undermine Chrome’s core security model and allow the attacker to exfiltrate data or execute privileged actions across origins.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`149.0.7827.53`	affected	< 149.0.7827.53

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[149.0.7827.53,149.0.7827.53)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Chrome update (149.0.7827.53 or later).
If an update cannot be installed immediately, start Chrome with the command‑line flag --disable-site-isolation to temporarily remove the affected isolation feature until a patch is available.
Consider using an alternative browser such as Firefox until the Chrome vulnerability is fixed, ensuring that critical web traffic is protected by a different security model.

Generated by OpenCVE AI on June 7, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6325-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00227.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/502615170
https://nvd.nist.gov/vuln/detail/CVE-2026-11179
https://www.cve.org/CVERecord?id=CVE-2026-11179

History

Mon, 08 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Chrome ORB Site Isolation Bypass via Crafted HTML	chromium-browser: Inappropriate implementation in ORB
Weaknesses		CWE-653
References		https://nvd.nist.gov/vuln/detail/CVE-2026-11179 https://www.cve.org/CVERecord?id=CVE-2026-11179
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 05 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title		Chrome ORB Site Isolation Bypass via Crafted HTML

Fri, 05 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Title	Site Isolation Bypass via Crafted HTML Page in Chrome
Weaknesses	CWE-264 CWE-378

Fri, 05 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 05 Jun 2026 06:00:00 +0000

Type	Values Removed	Values Added
Title		Site Isolation Bypass via Crafted HTML Page in Chrome
Weaknesses		CWE-264 CWE-378

Fri, 05 Jun 2026 05:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
References		https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502615170

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-06-04T23:05:32.876Z

Updated: 2026-06-05T16:35:12.226Z

Reserved: 2026-06-04T17:10:39.661Z

Link: CVE-2026-11179

Vulnrichment

Updated: 2026-06-05T16:34:41.863Z

NVD

Status : Analyzed

Published: 2026-06-04T23:17:24.797

Modified: 2026-06-08T14:20:23.830

Link: CVE-2026-11179

Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11179 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-07T16:00:04Z

Weaknesses

CWE-284
Improper Access Control
CWE-653
Improper Isolation or Compartmentalization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object