Description
Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-11
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the handling of password functionality in Google Chrome on Android. A renderer process that has been compromised can craft a specialized HTML page that bypasses site isolation. This bypass removes the intended process and memory separation between sites, allowing the malicious party to access restricted data or perform actions that normally would be confined. Chromium labels the issue as high severity, indicating significant impact on confidentiality and integrity.

Affected Systems

Google Chrome for Android versions prior to 149.0.7827.115 are affected. The vulnerability arises from in‑place implementation decisions rather than patched versions along the upgrade path.

Risk and Exploitability

Direct exploitation requires a prior render process compromise, which can occur through malicious content served to the user or via an attacker‑controlled app. Once a renderer is compromised, the attacker can serve a crafted page to unlock site isolation. No EPSS data is reported, and the issue is not listed in CISA’s KEV catalog, suggesting that public exploitation evidence is currently lacking. However, the high Chromium severity and the critical nature of site isolation mean that the risk of exploitation is non‑trivial for at‑risk users.

Generated by OpenCVE AI on June 11, 2026 at 22:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on all Android devices to version 149.0.7827.115 or later.
  • Enforce Chrome’s Site Isolation policy by enabling strict site isolation through the browser’s privacy settings or enterprise policy configuration.
  • Monitor device activity for anomalous HTML handling or unauthorized renderer processes and apply network filtering to block malicious content.

Generated by OpenCVE AI on June 11, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Site isolation bypass in Chrome Passwords via compromised renderer
Weaknesses CWE-285

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-11T20:48:13.724Z

Reserved: 2026-06-11T18:16:08.674Z

Link: CVE-2026-12032

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T22:16:55.773

Modified: 2026-06-11T22:16:55.773

Link: CVE-2026-12032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:45:04Z

Weaknesses