Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Site isolation bypass inherently crosses a security boundary warranting S:C; all other metrics align with the described prerequisites of renderer compromise, user interaction, and limited confidentiality impact.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Site isolation bypass in Google Chrome's Extensions implementation (prior to 149.0.7827.115) enables an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. This is a chained exploit primitive - it cannot be weaponized standalone and requires a preceding renderer compromise, limiting its practical severity despite the network delivery vector. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis. The low CVSS score of 3.1 reflects the high attack complexity and constrained confidentiality impact.
Technical ContextAI
Google Chrome's site isolation architecture runs each origin in a dedicated renderer process to prevent cross-site data leakage, enforced partly through the Extensions subsystem's handling of inter-process communication and resource access. CWE-20 (Improper Input Validation) indicates the root cause is insufficient validation of inputs within the Extensions implementation, allowing a compromised renderer to interact with the Extensions layer in a manner that crosses the site isolation boundary. The affected CPE (cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*) covers all Chrome builds prior to 149.0.7827.115 across platforms. This class of flaw is significant in sandbox-escape and renderer-escape attack chains where adversaries chain a renderer RCE with a follow-on isolation bypass to exfiltrate cross-origin data.
RemediationAI
Vendor-released patch: 149.0.7827.115. Update Google Chrome to version 149.0.7827.115 or later via the browser's built-in update mechanism (Settings > Help > About Google Chrome) or through enterprise deployment tools. The official advisory is available at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html. Because exploitation of this flaw requires an already-compromised renderer process, organizations that cannot immediately patch should prioritize mitigations targeting the upstream renderer attack surface: enforce Chrome's strict site isolation policy via enterprise policy (SitePerProcess), disable or restrict browser extensions to a curated allowlist to reduce the Extensions attack surface, and deploy endpoint detection focused on anomalous renderer process behavior. Note that restricting extensions may impact user productivity and should be evaluated against business requirements.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36338
GHSA-x86p-j2wx-wvvx