Description
Insufficient validation of untrusted input. in Compositing in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-28
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of untrusted input in the compositing component of Google Chrome. An attacker who has already compromised a renderer process can supply a specially crafted HTML page that bypasses Chrome’s site isolation, lifting the isolation boundary and permitting that process to access resources belonging to other sites. This can lead to data theft, credential compromise, or other attacks against users while Chrome is running. The flaw is classified as CWE-1173 and CWE-20, and is rated low severity with a CVSS score of 3.1 by Chromium. The likely attack vector is delivering a crafted HTML page to a Chrome instance that hosts a compromised renderer, such as via a malicious extension or drive‑by activity.

Affected Systems

Affected versions are all releases of Google Chrome before 147.0.7727.138. The problem does not exist in later releases where the patch has been applied.

Risk and Exploitability

Because the exploit requires an attacker first to compromise the renderer process, the risk is lower than a purely remote exploit. Based on the description, it is inferred that the attacker would likely succeed by delivering a crafted HTML page to a compromised renderer, possibly via a malicious extension or drive‑by download. The EPSS score of <1% indicates a very low but nonzero exploitation probability, and the CVSS score of 3.1 reflects low severity. The vulnerability is not listed in the CISA KEV catalog. Despite the limited attack surface, users running affected Chrome versions without the fix remain at risk.

Generated by OpenCVE AI on April 29, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.138 or later.
  • Ensure Chrome’s site isolation is enabled via settings or enterprise policy to mitigate accidental cross‑site exploitation.
  • Avoid opening or executing untrusted HTML content from unknown sources until the update is applied.

Generated by OpenCVE AI on April 29, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6239-1 chromium security update
History

Thu, 30 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Site Isolation Bypass via Input Validation Flaw chromium-browser: Insufficient validation of untrusted input in Compositing
Weaknesses CWE-1173
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

threat_severity

Important

Wed, 29 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title Chrome Site Isolation Bypass via Input Validation Flaw

Wed, 29 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input. in Compositing in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-29T13:26:30.338Z

Reserved: 2026-04-28T20:02:48.922Z

Link: CVE-2026-7360

cve-icon Vulnrichment

Updated: 2026-04-29T13:26:24.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T23:16:23.570

Modified: 2026-04-30T16:37:36.737

Link: CVE-2026-7360

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-7360 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:15:16Z

Weaknesses