Skip to main content

Google Chrome CVE-2026-12017

| EUVDEUVD-2026-36338 LOW
Improper Input Validation (CWE-20)
2026-06-11 Chrome GHSA-x86p-j2wx-wvvx
3.1
CVSS 3.1 · Vendor: Chrome

Severity by source

Vendor (Chrome) PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
3.4 LOW

Site isolation bypass inherently crosses a security boundary warranting S:C; all other metrics align with the described prerequisites of renderer compromise, user interaction, and limited confidentiality impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 12, 2026 - 02:28 vuln.today
CVSS changed
Jun 12, 2026 - 02:22 NVD
3.1 (LOW)
CVSS changed
Jun 12, 2026 - 02:22 NVD
3.1 (LOW)
CVE Published
Jun 11, 2026 - 20:48 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Site isolation bypass in Google Chrome's Extensions implementation (prior to 149.0.7827.115) enables an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. This is a chained exploit primitive - it cannot be weaponized standalone and requires a preceding renderer compromise, limiting its practical severity despite the network delivery vector. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis. The low CVSS score of 3.1 reflects the high attack complexity and constrained confidentiality impact.

Technical ContextAI

Google Chrome's site isolation architecture runs each origin in a dedicated renderer process to prevent cross-site data leakage, enforced partly through the Extensions subsystem's handling of inter-process communication and resource access. CWE-20 (Improper Input Validation) indicates the root cause is insufficient validation of inputs within the Extensions implementation, allowing a compromised renderer to interact with the Extensions layer in a manner that crosses the site isolation boundary. The affected CPE (cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*) covers all Chrome builds prior to 149.0.7827.115 across platforms. This class of flaw is significant in sandbox-escape and renderer-escape attack chains where adversaries chain a renderer RCE with a follow-on isolation bypass to exfiltrate cross-origin data.

RemediationAI

Vendor-released patch: 149.0.7827.115. Update Google Chrome to version 149.0.7827.115 or later via the browser's built-in update mechanism (Settings > Help > About Google Chrome) or through enterprise deployment tools. The official advisory is available at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html. Because exploitation of this flaw requires an already-compromised renderer process, organizations that cannot immediately patch should prioritize mitigations targeting the upstream renderer attack surface: enforce Chrome's strict site isolation policy via enterprise policy (SitePerProcess), disable or restrict browser extensions to a curated allowlist to reduce the Extensions attack surface, and deploy endpoint detection focused on anomalous renderer process behavior. Note that restricting extensions may impact user productivity and should be evaluated against business requirements.

Share

CVE-2026-12017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy