CVE-2026-10938: Chrome Site Isolation Bypass via Input Validation Flaw
Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles certain HTML input that could allow an attacker to circumvent site isolation protections, but only if they have already compromised the renderer process. Site isolation is Chrome's core defense that prevents a compromised website from accessing data from other open websites. This vulnerability narrows that protection in specific scenarios.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10938 stems from an inappropriate implementation in Chrome's input handling mechanism. The vulnerability allows a remote attacker who has achieved code execution in the renderer process to craft a malicious HTML page that bypasses site isolation boundaries. Site isolation operates as a process-level sandboxing feature; this flaw permits cross-site data access when the renderer is already under attacker control. The issue is classified as CWE-20 (Improper Input Validation), indicating the root cause is insufficient validation of specially crafted input. Chromium's security team rated this High severity internally, though the CVSS 3.1 score of 6.5 (Medium) reflects the prerequisite of prior renderer compromise.
Business impact
The practical business risk depends on your threat model. Organizations facing sophisticated attackers capable of renderer exploitation face increased risk of multi-site credential theft and session hijacking after initial compromise. For most enterprises, the attacker must already control code execution in Chrome's renderer—a significant hurdle—before this flaw becomes actionable. However, in supply-chain or advanced persistent threat scenarios, this compounds existing renderer exploits into broader data exfiltration attacks. The vulnerability does not enable initial entry; it amplifies the reach of attacks that already have a foothold.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected. This includes Windows, macOS, Linux, Android, and iOS deployments of Chrome at vulnerable versions. Users of Chromium-based browsers (Edge, Brave, Opera, etc.) should verify whether their vendor has backported the patch, as the underlying code is shared but patch timing varies by distributor.
Exploitability
Exploitation requires two preconditions: (1) the attacker must first compromise the Chrome renderer process through another vulnerability or mechanism, and (2) the victim must visit a crafted HTML page served by the attacker. The CVSS vector (AV:N/AC:L/UI:R/S:U/C:N/I:H/A:N) indicates network accessibility with low attack complexity but requires user interaction and no scope change. The flaw is not listed on CISA's Known Exploited Vulnerabilities catalog, suggesting no active wild exploitation as of the publication date, though this does not preclude future weaponization.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. The patch corrects the input validation logic in Chrome's renderer process. Users on managed deployments should verify patch deployment via Chrome's built-in update mechanism or administrative consoles. For Chromium-based browser users, consult your vendor's advisory for specific patched versions and timelines.
Patch guidance
Chrome auto-updates by default; most users will receive version 149.0.7827.53 automatically within days of release. To manually verify your version, navigate to Chrome menu > About Google Chrome, which triggers an update check. Enterprise administrators managing Chrome via policy should deploy the patched version through their update infrastructure. Test patches in a non-production environment first to confirm compatibility with your organization's web applications, particularly any that rely on site isolation boundaries for security guarantees. If you operate a Chromium fork or embedded Chromium instance, backport the fix from the Chromium repository or wait for your vendor's security update.
Detection guidance
Detection of exploitation attempts is indirect, as the attack surface exists only after renderer compromise. Monitor for suspicious renderer process activity, unexpected cross-origin data access attempts, and anomalous credential or session token exfiltration. Endpoint Detection and Response (EDR) tools should flag processes spawning from compromised Chrome renderers with unusual system calls or network behavior. Web application firewalls (WAF) cannot meaningfully detect this vulnerability in transit; security focus should remain on renderer hardening and isolation. Log Chrome crash events and renderer process terminations, as exploitation attempts may trigger sandbox violations and crashes before successful bypass.
Why prioritize this
This vulnerability warrants timely but not emergency patching for most organizations. The critical prerequisite—prior renderer compromise—significantly reduces the attack surface relative to pre-auth or user-interaction-only flaws. However, organizations in high-threat sectors (finance, government, critical infrastructure) or those known to face sophisticated adversaries should prioritize this patch given that it amplifies the impact of renderer exploits. The internal Chromium High severity rating and the integrity impact (I:H in CVSS) reflect that successful exploitation enables credential and session theft post-compromise. Standard patch windows (weekly to bi-weekly) are appropriate for lower-risk environments; faster deployment for sensitive organizations.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) balances high integrity impact against a high-barrier attack prerequisite. The score reflects: (1) Network accessibility (AV:N) and low attack complexity (AC:L) for delivering the malicious HTML; (2) requirement for user interaction (UI:R) to visit the page; (3) high integrity impact (I:H) if the prerequisites are met, permitting unauthorized data modification or access across sites; (4) no direct confidentiality or availability impact (C:N, A:N) from the vulnerability itself. The Chromium High rating emphasizes the severity if renderer compromise is achieved, but CVSS anchors on the full attack path, yielding Medium overall. Organizations should not anchor entirely on the CVSS score; context of renderer exploit prevalence in your threat model matters.
Frequently asked questions
Does this vulnerability allow remote code execution in Chrome without other exploits?
No. This flaw requires the attacker to have already compromised Chrome's renderer process. It does not provide an initial attack vector; it amplifies the impact of existing renderer compromises by weakening site isolation. An attacker would need a separate renderer exploit or social engineering to reach this point.
Can site isolation be disabled or re-enabled to mitigate this?
Site isolation is enabled by default in Chrome and is a fundamental security architecture. This vulnerability does not require users to disable site isolation; disabling it would worsen security posture. The fix corrects the input validation flaw, restoring site isolation's effectiveness.
If I'm fully patched on Chrome, am I protected?
Yes. Updating to Chrome 149.0.7827.53 or later closes this vulnerability. Auto-updates are the default; check Chrome menu > About Google Chrome to trigger an update check and confirm you are on the patched version.
Why is this rated Medium severity if Chromium calls it High?
CVSS scoring accounts for the full attack chain. The vulnerability itself is impactful (integrity: High), but the prerequisite of renderer compromise raises the attack complexity in the overall threat model. Chromium's High rating emphasizes severity in isolation. Both ratings are valid; use Chromium's context for chromium-based products and CVSS for cross-vendor comparison.
This analysis is provided for informational purposes and reflects the state of the vulnerability as of the published date. CVSS scores, patch versions, and affected product lists are derived from official vendor advisories and should be verified against Google's Chrome release notes and security updates. This vulnerability requires prior renderer process compromise and is not known to be actively exploited in the wild as of publication. Organizations should conduct their own risk assessment based on their threat model, deployment architecture, and patch testing procedures. This document does not constitute security advice specific to your environment; consult with your security team or vendor for tailored guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10980MEDIUMChrome Same-Origin Policy Bypass in DevTools – Patch Guidance