CVE-2026-9979 - Vulnerability Details

- chromium-browser: Insufficient validation of untrusted input in Input

Description

Insufficient validation of untrusted input in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Published: 2026-05-28

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is caused by insufficient validation of untrusted input in Chrome’s Input module, enabling an attacker who has already compromised the renderer process to serve a crafted HTML page that bypasses site isolation. This undermines the browser’s protection against cross‑site data leakage, allowing the attacker to access information from another site’s renderer and potentially exfiltrate sensitive data. The weakness is classified as CWE‑20 and CWE‑1289.

Affected Systems

Google Chrome versions older than 148.0.7778.216 are affected.

Risk and Exploitability

The issue carries a high severity designation with a CVSS score of 7.9. Exploitation requires that the attacker first achieve a foothold within Chrome’s renderer process—typically through a separate vulnerability—after which the crafted page can be delivered to force Chrome to disregard site isolation boundaries. The EPSS score indicates a very low exploitation probability (<1%) and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, a successful bypass would lead to serious data disclosure and undermines the fundamental isolation guarantees of the browser.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.216`	affected	< 148.0.7778.216

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.216,148.0.7778.216)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to the latest stable release (148.0.7778.216 or newer) on all affected machines.
Enable Chrome’s site isolation enforcement policy to ensure renderer processes are strictly separated if available in your enterprise policy set.
Limit access to potentially malicious third‑party web content or disable legacy site loading features until the update is applied.

Generated by OpenCVE AI on May 29, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html
https://issues.chromium.org/issues/511742228
https://nvd.nist.gov/vuln/detail/CVE-2026-9979
https://www.cve.org/CVERecord?id=CVE-2026-9979

History

Fri, 29 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}`

Fri, 29 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Site Isolation Bypass via Improper Input Validation in Chrome Input Module	chromium-browser: Insufficient validation of untrusted input in Input
Weaknesses		CWE-1289
References		https://nvd.nist.gov/vuln/detail/CVE-2026-9979 https://www.cve.org/CVERecord?id=CVE-2026-9979
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}` threat_severity `Important`

Fri, 29 May 2026 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 29 May 2026 01:15:00 +0000

Type	Values Removed	Values Added
Title		Site Isolation Bypass via Improper Input Validation in Chrome Input Module

Thu, 28 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511742228

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-28T22:25:43.781Z

Updated: 2026-05-29T17:40:21.689Z

Reserved: 2026-05-28T17:25:06.587Z

Link: CVE-2026-9979

Vulnrichment

Updated: 2026-05-29T17:40:18.694Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:56.127

Modified: 2026-05-29T19:16:30.953

Link: CVE-2026-9979

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9979 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T14:45:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object