Description
Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)
Published: 2026-06-17
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in File System Access within Google Chrome before version 149.0.7827.155 allows a remote attacker who has compromised the renderer process to bypass site isolation through a specially crafted PDF file. The primary impact is the potential exposure of data from isolated web content, enabling cross‑site data leakage and potentially further exploitation.

Affected Systems

All stable channel releases of Google Chrome older than 149.0.7827.155 are affected, impacting users who encounter PDFs from untrusted sources.

Risk and Exploitability

The EPSS score indicates a very low probability of exploitation and the vulnerability is not listed in CISA’s KEV catalog. However, the Chromium severity rating is high and exploitation requires the attacker to first compromise the renderer process, likely through another local exploit, before delivering a crafted PDF to trigger the policy violation. Given the high impact that a site isolation bypass could cause, the overall risk remains significant until the patch is applied.

Generated by OpenCVE AI on June 17, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to at least version 149.0.7827.155.
  • Ensure that site isolation is enabled in Chrome by checking the 'Enable Site Isolation' setting or by launching Chrome with the '--enable-site-per-process' flag.
  • In environments that process untrusted PDFs, disable the built‑in PDF viewer or restrict PDF rendering to separate trusted processes.

Generated by OpenCVE AI on June 17, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T13:15:44.309Z

Reserved: 2026-06-16T19:38:31.430Z

Link: CVE-2026-12460

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T06:45:03Z

Weaknesses

No weakness.