Description
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Chrome’s extension handling. An attacker who controls the renderer process can craft a malicious HTML page that bypasses Chrome’s site‑isolation boundary, allowing access to data or resources that should be isolated. This can result in privilege escalation from the browser context to potentially wider system compromise.

Affected Systems

The issue affects Google Chrome versions prior to 149.0.7827.155 on all platforms. Users running the affected stable channel are potentially vulnerable until they install the patched release.

Risk and Exploitability

The CVSS score is not supplied, but the EPSS indicator of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the attack requires a compromised renderer process—achievable through an untrusted extension or malicious web content—the threat is real for environments that allow arbitrary extensions or user‑generated content. The only official remediation is to update to the fixed Chrome version.

Generated by OpenCVE AI on June 17, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.155 or later
  • Remove or disable any untrusted or unknown extensions until the update is applied
  • Avoid visiting potentially malicious websites and keep the browser’s default security settings enabled

Generated by OpenCVE AI on June 17, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T13:14:47.588Z

Reserved: 2026-06-16T19:38:30.420Z

Link: CVE-2026-12457

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T06:45:03Z

Weaknesses

No weakness.