Description
Insufficient policy enforcement in GuestView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in the GuestView component of Google Chrome allowed a maliciously crafted HTML page to override the isolation boundaries that normally keep a renderer process separate from other sites. The flaw is triggered only after an attacker has already compromised the renderer process, giving them the ability to elevate privileges within that tab. This bypass can expose sensitive data from other sites or allow the attacker to execute privileged code in the context of other browser tabs. The risk is limited to the user’s browser session but can have serious implications for data confidentiality and integrity within that session.

Affected Systems

All users running Google Chrome versions earlier than 150.0.7871.47 are affected.

Risk and Exploitability

The CVE is classified as Medium severity by Chromium. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker must already have control of the renderer process, which typically requires a separate local or network compromise. Once that condition is met, the attacker can bypass site isolation within the browser session. The lack of publicly reported exploitation and the absence from the KEV list suggest low to moderate current risk, but defenders should assume the risk could rise as the vulnerability becomes known.

Generated by OpenCVE AI on July 1, 2026 at 01:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later on all affected systems
  • Disable or restrict the use of GuestView by removing or disabling extensions that rely on it
  • Ensure site isolation is enabled in Chrome (Flags > System > Site Isolation) to provide an additional separation layer

Generated by OpenCVE AI on July 1, 2026 at 01:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
Title GuestView Policy Enforcement Bypass Allows Site Isolation Escape
Weaknesses CWE-284

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in GuestView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:03.856Z

Reserved: 2026-06-29T23:03:38.594Z

Link: CVE-2026-13871

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:15:16Z

Weaknesses