Description
Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes an insufficient validation of untrusted input in Chrome’s SiteIsolation implementation. A crafted HTML page can cause a renderer process that has already been compromised to skip isolation checks, allowing the attacker to read or alter data from other sites and potentially elevate privileges within the browser. This is an input validation weakness (CWE‑20).

Affected Systems

All Google Chrome releases older than 148.0.7778.96 are vulnerable. The flaw was addressed in the 148.0.7778.96 patch referenced in the Chrome release notes.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, but the EPSS score is not available, so the exact likelihood of exploitation cannot be determined. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a remote attacker who has achieved control over a renderer process and the delivery of a crafted HTML page, so it involves multiple prerequisites but is feasible with existing capabilities.

Generated by OpenCVE AI on May 7, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to 148.0.7778.96 or later using the browser’s auto‑update mechanism or by manually installing the latest installer.
  • Ensure that Site Isolation is enabled; enable the site‑isolation‑force‑enabled flag or enforce it via an enterprise policy.
  • Disable or uninstall extensions that can inject or modify HTML content to reduce the chance of crafted pages being delivered.

Generated by OpenCVE AI on May 7, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Remote Attacker Can Bypass Site Isolation via Crafted HTML Page in Google Chrome

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Remote Attacker Can Bypass Site Isolation via Crafted HTML Page in Google Chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:47:02.622Z

Reserved: 2026-05-05T22:59:34.296Z

Link: CVE-2026-8010

cve-icon Vulnrichment

Updated: 2026-05-06T21:15:50.345Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T19:16:51.970

Modified: 2026-05-06T22:16:45.323

Link: CVE-2026-8010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:30:12Z

Weaknesses