Description
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from insufficient policy enforcement within Chrome's extension framework. In versions earlier than 150.0.7871.47, a malicious or compromised renderer process can craft an HTML page that forces the browser to bypass its site isolation boundaries. This means that a compromised process could potentially read or influence data from other isolated sites, effectively elevating the attacker's privileges across profiles and sites. In practice, an attacker could hijack cross‑site communication channels or steal credentials stored in isolated processes.

Affected Systems

The affected product is Google Chrome, all releases older than 150.0.7871.47. The issue is documented for these versions and the fix appears in the stable channel update noted in the release notes and issue tracker. Users running earlier builds are considered vulnerable.

Risk and Exploitability

The Chromium team rated the vulnerability as medium severity. EPSS data is unavailable, and the issue is not listed in CISA's KEV catalog; therefore the historical likelihood of exploitation remains uncertain. However, the requirement for a renderer‑process compromise suggests the attack path demands prior foothold or malicious extension delivery. Once a renderer is compromised, the attacker can bypass site isolation with a crafted page, potentially reading cross‑site secrets or manipulating isolated content. The fix is contained in version 150.0.7871.47, which restores proper policy checks before enforcing site isolation.

Generated by OpenCVE AI on July 1, 2026 at 01:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome 150.0.7871.47 or newer immediately.
  • Enable Site Isolation in Chrome settings to enforce process isolation for all sites.
  • Limit extensions to trusted sources only, and review extension permissions for any that do not require full access.
  • Monitor browser behavior for unexpected renderer endpoints or untrusted page loads; consider disabling legacy renderer processes if possible.

Generated by OpenCVE AI on July 1, 2026 at 01:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement Allows Renderer Process Compromise to Bypass Site Isolation in Chrome
Weaknesses CWE-284

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:21.481Z

Reserved: 2026-06-29T23:03:52.089Z

Link: CVE-2026-13919

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses