MEDIUM 6.5

CVE-2026-10912: Chrome Extension Same-Origin Policy Bypass (CVSS 6.5)

A flaw in Google Chrome's extension handling allows an attacker who has already compromised the renderer process to bypass the browser's same-origin policy—a core security boundary that prevents JavaScript from one website accessing data from another. An attacker would need to trick a user into visiting a specially crafted webpage to exploit this. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10912 stems from insufficient input validation in Chrome's extension subsystem (CWE-20). The vulnerability permits a renderer-process-level attacker to circumvent same-origin policy (SOP) enforcement via a malicious HTML page. Because the attack requires prior renderer compromise, it typically chains with other exploits rather than standing alone. Chromium rated this High severity; CVSS 3.1 assigns it a score of 6.5 (Medium), reflecting the requirement for user interaction and the limitation that confidentiality is not directly impacted, though integrity is substantially compromised.

Business impact

This vulnerability poses a moderate but meaningful risk to organizations. If an attacker chain gains renderer access—for instance through a separate Chrome vulnerability or malicious extension—they could abuse this flaw to exfiltrate sensitive data from other origins, steal authentication tokens, or manipulate user sessions across multiple websites within a single browser instance. For enterprises relying on Chrome for productivity or financial services, the integrity compromise could undermine trust in web-based workflows.

Affected systems

Google Chrome prior to version 149.0.7827.53 is directly affected. Because Chrome runs on Windows, macOS, and Linux, all three platforms are in scope. Users of any operating system running vulnerable Chrome versions should prioritize updates. Note that while the vendor list includes operating system kernels, the vulnerability is specific to Chrome's extension handling rather than OS-level code.

Exploitability

Exploitation requires two preconditions: (1) the attacker must first compromise the Chrome renderer process through a separate vulnerability or attack vector, and (2) the user must visit a crafted HTML page. This two-stage requirement lowers real-world exploitability compared to direct, unauthenticated remote code execution flaws. However, once renderer access is obtained, triggering the same-origin bypass is trivial. The vulnerability has not been added to the Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been documented at publication.

Remediation

Users should update Google Chrome to version 149.0.7827.53 or later immediately. Enterprises should enforce Chrome auto-updates or use managed deployment channels to ensure rollout across their fleets. Additionally, review browser security policies: disable unnecessary extensions, restrict extension installation to curated allowlists, and consider isolating high-risk browsing to dedicated environments. Monitor for any related renderer-process vulnerabilities that could serve as the initial compromise vector.

Patch guidance

Google Chrome 149.0.7827.53 and subsequent releases contain the fix. Verify the installed version via chrome://version or through your organization's endpoint management tools. For auto-updating installations, the patch may already be deployed; manual users should navigate to Menu > About Google Chrome to trigger an immediate update check. Organizations using Chrome Enterprise or similar managed deployments should consult vendor advisories for specific rollout timelines and testing recommendations.

Detection guidance

Monitor Chrome crash logs and extension activity for unusual renderer restarts or extension permission escalations. At the network level, look for unexpected cross-origin resource requests originating from Chrome processes, though same-origin bypass evasion may limit visibility. Endpoint detection and response (EDR) solutions should track suspicious HTML file access or execution of HTML files from untrusted sources. Correlate any alerts with prior evidence of renderer-process compromise (heap exploits, code injection) to identify active chains. Consider scanning for unsigned or unauthorized extensions that could be used in conjunction with this flaw.

Why prioritize this

Although assigned a CVSS 6.5 (Medium), this vulnerability warrants prompt attention due to its role in attack chains. Attackers who achieve renderer compromise gain a direct path to same-origin policy bypass—a foundational browser security control. The integrity impact is high, and the attack surface includes any user visiting a malicious webpage after an initial compromise. Prioritize environments with high-value data (financial, healthcare, or credential-management portals) and those running older Chrome versions or with infrequent patch cycles.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: Network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but user interaction needed (UI:R). The scope is unchanged (S:U), meaning the attacker cannot break out of Chrome itself. Confidentiality is not affected (C:N), but integrity is high (I:H) because same-origin bypass permits unauthorized data modification or exfiltration. Availability is not impacted (A:N). The Medium severity label accurately captures that real-world risk hinges on successful prior renderer compromise; however, organizations should not underweight this based on CVSS alone, given the downstream impact of SOP bypass.

Frequently asked questions

Do I need to patch immediately if I'm only a casual Chrome user?

If you primarily use Chrome for general web browsing and do not visit untrusted or high-risk sites, the immediate risk is lower because the exploit requires both renderer compromise and a crafted page visit. However, you should still apply the patch within your normal update cycle (ideally within days, not weeks) because zero-days or chains combining this flaw with other vulnerabilities could emerge.

Can I disable extensions to mitigate this until I patch?

Disabling extensions reduces attack surface somewhat, but this vulnerability is in Chrome's extension subsystem itself, not specific to individual extensions. Disabling them provides limited protection against a determined attacker with renderer access. Patching is the authoritative fix; extension management is a defense-in-depth layer.

What is same-origin policy and why does bypassing it matter?

Same-origin policy is a fundamental browser security model that prevents scripts from one website from accessing data from another (e.g., JavaScript on attacker.com cannot read your Gmail inbox). Bypassing SOP allows attackers to steal credentials, modify transactions, or harvest sensitive information across multiple sites within the same browser. It is one of the few hard boundaries protecting users from widespread credential and data theft.

Will this affect me if I use Chrome on a managed corporate environment?

Managed environments typically enforce automatic updates and may use additional policies (managed bookmarks, extension whitelists, sandbox restrictions). If auto-update is enabled, the patch should roll out automatically. Check with your IT department on deployment timelines. High-security environments may also isolate web browsing to dedicated machines or containers, which would further limit risk.

This analysis is based on publicly disclosed vulnerability data and vendor advisories current as of the publication date. Exploit availability, real-world attack prevalence, and patch timelines may change. Organizations should verify all patch version numbers and compatibility against the official Google Chrome security advisory and their own testing environments before deployment. This document does not constitute security advice tailored to your specific infrastructure; consult your security team or vendor for guidance. SEC.co makes no warranty regarding the completeness or accuracy of third-party data sources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).