Description
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Chrome extensions allows an attacker who has already compromised the renderer process to bypass the browser’s site isolation. The weakness is an insecure handling of input within the extensions code (CWE‑20), and was rated with high severity by Chromium security. If exploited, the attacker could read or manipulate data from other processes or web origins that should remain isolated, potentially leading to data theft or injection of malicious content.

Affected Systems

Google Chrome desktop releases prior to version 149.0.7827.103 are affected.

Risk and Exploitability

The vulnerability requires an attacker to first obtain control over the renderer process, which could be achieved via a malicious extension or a compromised website. Once control is achieved, a crafted HTML page can be served to the renderer to lift it out of its isolated context. The EPSS score is not available, but the high Chromium severity and the need for pre‑existing renderer compromise suggest a moderate to high exploitation difficulty. The vulnerability is not listed in CISA KEV, indicating no publicly known exploits at the time of analysis.

Generated by OpenCVE AI on June 9, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.103 or newer.
  • If an update is not yet available, disable or uninstall any untrusted or recently installed extensions that might be leveraged for the initial renderer compromise.
  • Verify that site isolation is enabled in Chrome’s experimental features or through enterprise policy settings; consider disabling features that allow extension code to affect site isolation.

Generated by OpenCVE AI on June 9, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Browser Extension Site Isolation Bypass via Compromised Renderer Process Chrome Extension Site Isolation Bypass via Renderer Compromise

Tue, 09 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Browser Extension Site Isolation Bypass via Compromised Renderer Process
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T13:52:10.692Z

Reserved: 2026-06-08T21:33:40.877Z

Link: CVE-2026-11653

cve-icon Vulnrichment

Updated: 2026-06-09T13:51:32.364Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T00:16:48.250

Modified: 2026-06-09T14:16:35.273

Link: CVE-2026-11653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T01:00:15Z

Weaknesses