Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in FoldableAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Site isolation bypass in Google Chrome's FoldableAPIs component allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a CVSS 4.3 score, an EPSS of 0.02% (4th percentile), is not listed in CISA KEV, and no public exploit has been identified - consistent with Chromium's own 'Low' severity rating. A vendor-released patch (149.0.7827.53) is available.
Technical ContextAI
FoldableAPIs is a Chrome renderer-side feature set designed to expose device-posture and screen-fold information to web content, enabling responsive layouts on foldable devices. An inappropriate implementation in this subsystem maps to CWE-693 (Protection Mechanism Failure), meaning a security control - here, Chrome's Site Isolation architecture, which confines each origin's renderer to a dedicated process - is circumvented rather than directly broken. Because site isolation is Chrome's primary defense against Spectre-class cross-origin data leakage and cross-site scripting escalation, a bypass undermines a critical sandbox boundary. The CVSS vector S:U (unchanged scope) and C:L (low confidentiality impact) suggest the practical data exposure is constrained, which aligns with the Low Chromium severity designation. The affected version range is Google Chrome < 149.0.7827.53 as confirmed by the ENISA EUVD entry EUVD-2026-34695 and the Google Chrome Releases advisory.
RemediationAI
Upgrade Google Chrome to version 149.0.7827.53 or later - this is the vendor-released patch confirmed via the official Chrome Releases advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's automatic update mechanism should handle delivery for most users; enterprise administrators managing Chrome deployments via policy should push the 149.0.7827.53 update through their management console. Because exploitation requires a prior renderer compromise, organizations unable to patch immediately should prioritize disabling or restricting use of experimental foldable-device APIs via enterprise policies if such controls are available, though this workaround would only reduce the attack surface if FoldableAPIs exposure can be isolated. No workaround fully eliminates the risk of a chained renderer-plus-isolation-bypass exploit chain; patching remains the only confirmed remediation.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34695
GHSA-pm3c-hfh2-87gg