Description
Inappropriate implementation in Fenced Frames in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper implementation in Chrome’s Fenced Frames component allows a malicious actor who has already compromised the renderer process to bypass the browser’s site isolation boundary using a specially crafted HTML page. This flaw, classified as CWE-346 and CWE-653, enables the attacker to access or manipulate web pages from different origins that should remain isolated, thereby undermining the isolation guarantees that protect user data and content integrity. The vulnerability does not provide direct code execution but elevates the attacker’s privileges within the browser context.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. No other vendors or products are reported as vulnerable.

Risk and Exploitability

The CVSS score is 6.5 and the EPSS probability is less than 1 %. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to have taken control of a renderer process and to deliver a crafted page. While the likelihood of a real‑world attack remains low, the ability to break out of site isolation is a significant concern, especially in environments where sensitive information is rendered in the browser.

Generated by OpenCVE AI on June 7, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or newer.
  • Verify that site isolation is enabled through the browser settings or group policy configuration.
  • Monitor renderer processes for abnormal activity and enforce strict content loading policies to limit exposure to untrusted origins.

Generated by OpenCVE AI on June 7, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient policy enforcement in Fenced Frames
Weaknesses CWE-653
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Title Site Isolation Bypass in Chrome via Crafted HTML
Weaknesses CWE-285
CWE-734

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Title Site Isolation Bypass in Chrome via Crafted HTML
Weaknesses CWE-285
CWE-734

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Fenced Frames in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T14:21:55.224Z

Reserved: 2026-06-04T17:10:52.843Z

Link: CVE-2026-11217

cve-icon Vulnrichment

Updated: 2026-06-05T14:21:48.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:29.360

Modified: 2026-06-05T20:25:05.890

Link: CVE-2026-11217

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11217 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:00:04Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-653

    Improper Isolation or Compartmentalization