CVE-2026-9903 - Vulnerability Details

- chromium-browser: Insufficient validation of untrusted input in Site Isolation

Description

Insufficient validation of untrusted input in Site Isolation in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted MHTML page. (Chromium security severity: High)

Published: 2026-05-28

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability stems from insufficient validation of untrusted input within the Site Isolation feature of Google Chrome prior to version 148.0.7778.216. It enables an attacker who has already compromised the renderer process to bypass the isolation boundary by serving a specially crafted MHTML page. The result is that a malicious renderer can access resources from other sites, compromising data confidentiality and integrity. The weakness is classified as CWE‑20 (Input Validation) and CWE‑1173.

Affected Systems

Google Chrome browsers running any version earlier than 148.0.7778.216 are affected. The vulnerability applies to all platforms that use this Chrome release, as the issue lies in the generic site isolation implementation rather than a platform‑specific component.

Risk and Exploitability

The CVSS score is 5, indicating medium severity, and the EPSS score of <1% indicates a very low probability of exploitation, while the lack of a KEV listing indicates no known mass exploitation at the time of this analysis. The likely attack vector is an attacker who can execute code in a renderer process and deliver a crafted MHTML page, which is then processed by the vulnerable site isolation code. Given the medium impact and potential for widespread exploitation if an attacker can target many users, the risk remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.216`	affected	< 148.0.7778.216

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.216,148.0.7778.216)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Chrome to version 148.0.7778.216 or later to apply the security fix.
Enable automatic updates so the browser can receive future patches promptly.
Educate users about the dangers of opening unknown MHTML files and disable them if possible.

Generated by OpenCVE AI on May 29, 2026 at 19:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html
https://issues.chromium.org/issues/498783665
https://nvd.nist.gov/vuln/detail/CVE-2026-9903
https://www.cve.org/CVERecord?id=CVE-2026-9903

History

Fri, 29 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}`

Fri, 29 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Remote bypass of site isolation via crafted MHTML page	chromium-browser: Insufficient validation of untrusted input in Site Isolation
Weaknesses		CWE-1173
References		https://nvd.nist.gov/vuln/detail/CVE-2026-9903 https://www.cve.org/CVERecord?id=CVE-2026-9903
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}` threat_severity `Important`

Fri, 29 May 2026 01:00:00 +0000

Type	Values Removed	Values Added
Title		Remote bypass of site isolation via crafted MHTML page

Fri, 29 May 2026 00:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in Site Isolation in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted MHTML page. (Chromium security severity: High)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498783665

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-28T22:25:18.719Z

Updated: 2026-05-29T17:40:49.819Z

Reserved: 2026-05-28T17:24:47.837Z

Link: CVE-2026-9903

Vulnrichment

Updated: 2026-05-29T17:40:46.720Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:48.310

Modified: 2026-05-29T19:16:29.413

Link: CVE-2026-9903

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9903 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T20:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object