MEDIUM 5.0

CVE-2026-10010: Chrome Android Site Isolation Bypass

Google Chrome on Android versions prior to 148.0.7778.216 contain a vulnerability in input handling that allows an attacker who has already compromised Chrome's renderer process to bypass site isolation protections through a specially crafted HTML page. Site isolation is a critical Chrome security boundary designed to keep sensitive data from different websites separate in memory. This flaw undermines that protection, though it requires the attacker to have already gained code execution within the browser engine itself.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-346
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Input in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10010 stems from an inappropriate implementation in the input handling mechanism of Google Chrome on Android. The vulnerability allows a remote attacker with prior renderer process compromise to circumvent site isolation—Chrome's architectural defense that isolates each site's content in a separate operating system process. The attack vector involves serving a crafted HTML page to the victim, which leverages the existing renderer compromise to break site isolation boundaries. The underlying issue is classified under CWE-346 (Origin Validation Error), indicating improper enforcement of origin-based access controls.

Business impact

For enterprise environments deploying Chrome on Android devices, this vulnerability creates a compounded risk scenario: if another vulnerability or attack vector first compromises the Chrome renderer, this flaw then enables attackers to access cross-site data they should not reach. This could lead to credential theft, session hijacking, or exfiltration of sensitive information across multiple websites within a single compromised browser instance. Organizations relying on Android mobile security for BYOD or managed device programs should assess their exposure and prioritize patching.

Affected systems

Google Chrome for Android versions prior to 148.0.7778.216 are affected. This includes all stable and extended release tracks below that version number on Android platforms. Desktop Chrome and Chrome on other platforms are not mentioned in this advisory and should not be assumed vulnerable to this specific flaw. Organizations should inventory Chrome version distributions across their Android device fleet, including both corporate-managed and BYOD devices if applicable.

Exploitability

Exploitation requires two conditions: (1) the attacker must first compromise the Chrome renderer process through a separate vulnerability or attack, and (2) the victim must then visit a malicious HTML page served by the attacker. The CVSS vector reflects this two-stage requirement: the attack has High Complexity (AC:H) due to the prerequisite renderer compromise, requires no privileges (PR:N), but does need user interaction (UI:R) to visit the crafted page. The practical exploitability is therefore limited to multi-stage attack chains rather than standalone drive-by compromise, lowering real-world risk compared to single-stage flaws.

Remediation

Update Google Chrome on Android to version 148.0.7778.216 or later. For organizations managing Android devices through MDM solutions, deploy this version through your mobile device management console. For BYOD scenarios, communicate the update requirement to users and verify adoption through your security telemetry. No workarounds are available; patching is the only mitigation.

Patch guidance

Deploy Chrome version 148.0.7778.216 or later across all Android devices in your environment. If using Google's Managed Chrome browser for Android, ensure your MDM policies are configured to auto-update or force minimum version enforcement. Verify patch compliance within 30 days of release through your device inventory and reporting tools. Test the update on a representative sample of devices first to ensure app stability with your organization's web applications.

Detection guidance

Monitor Chrome crash reports and renderer process termination logs on Android devices, as renderer compromise attempts may generate forensic signals. Cross-reference device activity logs with known exploit campaigns or suspicious JavaScript injection attempts. Watch for unusual cross-origin data access patterns in application logs. However, this vulnerability produces minimal behavioral signals once an attacker has already achieved renderer compromise; detection is most effective at the initial renderer compromise stage through standard malware and exploit scanning. Correlation with other Android security events may indicate a staged attack.

Why prioritize this

Although the CVSS score is MEDIUM (5.0), this vulnerability should be prioritized because: (1) site isolation is a foundational Chrome security model that protects sensitive enterprise data; (2) it affects the mobile platform where Chrome is heavily deployed for both corporate and consumer use; (3) the Chromium security team rated it High severity; and (4) it enables post-compromise escalation of damage. Organizations should treat this as a standard-cycle patch but not delay beyond normal update windows.

Risk score, explained

The CVSS 3.1 score of 5.0 (MEDIUM) reflects the two-stage attack requirement: High Complexity (AC:H) due to the prerequisite renderer process compromise significantly reduces the base score. However, the vulnerability does enable Confidentiality, Integrity, and Availability impact (C:L, I:L, A:L) once that initial compromise exists. The score appropriately captures that this is a post-compromise escalation flaw rather than an independent attack vector. The Chromium team's separate High severity rating acknowledges the security model importance of site isolation, even though CVSS reflects the practical exploitability difficulty.

Frequently asked questions

Does this affect Chrome on Windows, Mac, or Linux?

No, this vulnerability is specific to Chrome on Android. The input handling flaw described affects the Android implementation. Organizations using Chrome on desktop platforms do not need to address this particular CVE, though they should maintain their own patching cadence for desktop Chrome vulnerabilities.

What is site isolation and why does bypassing it matter?

Site isolation is Chrome's architectural feature that keeps each website's content in a separate operating system process. This prevents one website from directly accessing another website's data in memory, even if both are open in the same browser. Bypassing site isolation means an attacker can cross into another site's process and steal credentials, session tokens, or other sensitive data. It's one of Chrome's most important defenses for web security.

Can this vulnerability be exploited without another attack?

No. The vulnerability requires the attacker to have already compromised the Chrome renderer process through a separate means (another vulnerability, malware, etc.). Once that initial compromise exists, this flaw then allows the attacker to break site isolation. This makes it a post-compromise escalation issue rather than a standalone entry point.

Should we block older Chrome versions on Android through our MDM?

Yes, if your organization's security policy allows. MDM solutions can enforce a minimum Chrome version or auto-update policy. However, blocking entirely may disrupt user productivity; consider a phased enforcement approach: deploy the patch, monitor adoption, then enforce minimum version after a grace period. Coordinate with your support team to minimize help desk tickets.

This analysis is based on the official CVE record and Chromium security advisory as of the publication date. Patch availability, affected versions, and remediation timelines may vary by region and deployment model. Security teams should verify patch compatibility with their specific Android device fleet and Chrome deployment method before broad rollout. This vulnerability requires an existing renderer process compromise; it is not a standalone remote code execution flaw. No public exploit code is known to exist as of this analysis date. For official vendor guidance, consult the Chromium security releases page and Google's Chrome release notes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).