Description
Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the ORB component of Google Chrome prior to 149.0.7827.53, an inappropriate implementation allows a remote attacker to craft an HTML page that bypasses the browser’s site isolation safeguards. The vulnerability creates a gap in the separation that Chrome enforces between distinct web origins so that, once bypassed, the attacker could potentially access information or resources from other isolated contexts. Based on the description, it is inferred that this breach could enable the attacker to exploit data or functionality that was intended to be segregated by site isolation.

Affected Systems

Google Chrome for desktop operating systems running any version before 149.0.7827.53. Users on the stable channel who have not yet installed the latest update are at risk.

Risk and Exploitability

The likely attack vector is remote; the attacker must host or serve a specially crafted HTML page that the victim will open. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating a low or uncertain likelihood of exploitation. The potential impact of bypassing site isolation remains significant, as it could undermine Chrome’s core security model and allow the attacker to exfiltrate data or execute privileged actions across origins.

Generated by OpenCVE AI on June 5, 2026 at 05:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update (149.0.7827.53 or later).
  • If an update cannot be installed immediately, start Chrome with the command‑line flag --disable-site-isolation to temporarily remove the affected isolation feature until a patch is available.
  • Consider using an alternative browser such as Firefox until the Chrome vulnerability is fixed, ensuring that critical web traffic is protected by a different security model.

Generated by OpenCVE AI on June 5, 2026 at 05:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Site Isolation Bypass via Crafted HTML Page in Chrome
Weaknesses CWE-264
CWE-378

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:32.876Z

Reserved: 2026-06-04T17:10:39.661Z

Link: CVE-2026-11179

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:24.797

Modified: 2026-06-04T23:17:24.797

Link: CVE-2026-11179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:45:33Z

Weaknesses