Description
Insufficient validation of untrusted input in Loader in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in the Loader component of Google Chrome before version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to bypass Chrome’s site isolation mechanism. The vulnerability can enable the attacker to read or impact content from other tabs or sites that are normally isolated. The Chromium security severity is reported as low, but the impact is significant if the attacker has foothold in the renderer.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. The vulnerability is specific to the Loader module used during page parsing and rendering inside Google Chrome’s renderer process.

Risk and Exploitability

The exploit requires the attacker to already have control over the renderer process, a condition that typically results from a preceding vulnerability or compromise. No public exploit or published exploit code is known, and the vulnerability is not listed in the CISA KEV catalog. The EPSS score is not available. Despite the low Chromium severity rating, the ability to break isolation between processes makes this vulnerability more dangerous in a multi-tenant or shared environment, especially when combined with other flaws that allow renderer compromise.

Generated by OpenCVE AI on June 5, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or newer.
  • Verify that site isolation and sandboxing are active in Chrome settings and group policies after updating.
  • Implement strict process isolation and least‑privilege controls for browser components to reduce the likelihood of renderer compromise.

Generated by OpenCVE AI on June 5, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Loader in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:57.589Z

Reserved: 2026-06-04T17:11:00.594Z

Link: CVE-2026-11240

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:00.207

Modified: 2026-06-05T00:17:00.207

Link: CVE-2026-11240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T00:30:07Z

Weaknesses