Description
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-11
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the handling of extensions in Google Chrome prior to revision 149.0.7827.115. This weakness corresponds to CWE-20 (Improper Input Validation) and CWE-653 (Cross-Source Injection). A remote attacker who has already compromised the renderer process can craft a malicious HTML page that allows the attacker to bypass site isolation barriers, thereby accessing or manipulating content from multiple sites. This undermines the browser’s security boundary and could lead to data leakage or credential theft.

Affected Systems

Affected across all installations of Google Chrome older than revision 149.0.7827.115 on Windows, macOS, and Linux. The issue was identified in the stable channel and affects any user who has not applied the latest update.

Risk and Exploitability

The EPSS score is < 1 % and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 3.1 indicates a low severity. An attacker would need to have already gained control of the renderer process, which typically requires exploitation of another flaw or a user‑enabled configuration. Once that foothold is achieved, the crafted HTML page can bypass site isolation without additional privileges. Because the window of opportunity relies on a pre‑existing compromise, the likelihood of direct exploitation remains moderate but is non‑negligible for high‑value targets.

Generated by OpenCVE AI on June 19, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to revision 149.0.7827.115 or later via the official update mechanism.
  • Close all running browser instances to flush out any potentially compromised renderer processes.
  • Verify that the site isolation flag is enabled in chrome://policy or chrome://flags and that no policy disables it, ensuring the new security boundaries are active.

Generated by OpenCVE AI on June 19, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6344-1 chromium security update
History

Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Extension Handling Allows Site Isolation Bypass in Google Chrome chromium-browser: chromium-browser: Insufficient validation of untrusted input  Extensions
Weaknesses CWE-653
References
Metrics threat_severity

None

threat_severity

Important


Sat, 13 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Extension Handling Allows Site Isolation Bypass in Google Chrome

Sat, 13 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 12 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Chrome Extension Vulnerability Enabling Site Isolation Bypass via Crafted HTML

Fri, 12 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Chrome Extension Vulnerability Enabling Site Isolation Bypass via Crafted HTML

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-12T01:37:16.443Z

Reserved: 2026-06-11T18:16:05.032Z

Link: CVE-2026-12017

cve-icon Vulnrichment

Updated: 2026-06-12T01:37:13.120Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-11T22:16:54.270

Modified: 2026-06-13T00:51:49.143

Link: CVE-2026-12017

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-11T20:48:08Z

Links: CVE-2026-12017 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T14:30:04Z

Weaknesses