Description
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inappropriate handling of password data in Google Chrome versions before 149.0.7827.197 allows a remote attacker that has already compromised the renderer process to bypass site isolation by serving a crafted HTML page. This flaw lets the attacker escape the renderer sandbox, access privileged browser processes, and potentially read or manipulate user credentials and other sensitive data that would normally be protected by site isolation. Chromium security labels the issue as high severity.

Affected Systems

All installations of Google Chrome that run a stable channel build older than 149.0.7827.197 are vulnerable. Any user who has not yet upgraded to 149.0.7827.197 or a later version remains at risk.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, and the EPSS score is not available; it is not listed in CISA KEV. The likely attack vector is a malicious or compromised webpage that the user accesses, forcing code execution in the renderer process. Based on the description, it is inferred that the attacker must first gain control of the renderer before the site isolation bypass can be used. Once the renderer is compromised, the attacker can trigger the bypass by loading a crafted HTML page. Exploitation requires advanced capabilities, so the likelihood is moderate to high among attackers with sophisticated tooling. Successful exploitation could provide unauthorized access to saved passwords, session cookies, and other credentials, potentially leading to account takeover or broader system compromise.

Generated by OpenCVE AI on June 24, 2026 at 23:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.197 or later
  • Restart all Chrome processes after the update to activate the updated sandboxing logic
  • If a timely update is not possible, disable automatic password saving, clear stored passwords, and consider using Incognito mode or a separate user profile to limit exposure

Generated by OpenCVE AI on June 24, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4654-1 chromium security update
Debian DSA Debian DSA DSA-6364-1 chromium security update
History

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Chrome Site Isolation Bypass via Render Process Password Handling Chrome Site Isolation Bypass via Compromised Render Process Password Handling

Wed, 24 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Chrome Site Isolation Bypass via Render Process Password Handling

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Site Isolation Bypass via Crafted HTML Page in Chrome Passwords
Weaknesses CWE-200
CWE-295

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Site Isolation Bypass via Crafted HTML Page in Chrome Passwords
Weaknesses CWE-200
CWE-295

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:28:08.757Z

Reserved: 2026-06-23T17:14:12.011Z

Link: CVE-2026-13034

cve-icon Vulnrichment

Updated: 2026-06-24T19:27:16.390Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:30:16Z

Weaknesses