CVE-2026-11179: Chrome ORB Site Isolation Bypass (CVSS 8.8)
Google Chrome versions before 149.0.7827.53 contain a flaw in the Object Request Broker (ORB) feature that allows attackers to bypass site isolation—a critical Chrome security boundary that prevents websites from accessing each other's data. An attacker can exploit this by hosting a malicious HTML page that, when visited by a user, breaks through site isolation and gains unauthorized access to sensitive information from other open tabs or windows. The vulnerability requires user interaction (visiting the crafted page) but demands no special privileges, making it a practical concern for any Chrome user.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Chrome's ORB (Object Request Broker) implementation, which is part of the browser's cross-origin resource sharing and isolation mechanisms. CWE-284 (Improper Access Control) indicates that the ORB fails to properly enforce access restrictions between origins. An attacker crafts an HTML page that triggers improper ORB behavior, allowing script execution to escape the site isolation sandbox. This violates the fundamental trust boundary that Chrome maintains to isolate site data, potentially exposing cookies, localStorage, session tokens, or DOM content from other origins within the same browser context.
Business impact
Site isolation bypass represents a critical user-facing risk. Attackers can harvest authentication credentials, session tokens, and sensitive user data from any site the victim has open simultaneously. For enterprises where employees use Chrome for business, this enables lateral movement after initial social engineering (phishing to the malicious page). Users managing financial accounts, email, or SaaS platforms face direct account compromise. The CVSS score of 8.8 (HIGH) reflects the confluence of confidentiality, integrity, and availability impacts across the user's browser state.
Affected systems
Google Chrome on all major platforms—Windows, macOS, and Linux—is affected in versions prior to 149.0.7827.53. The vulnerability affects the Chrome binary and associated ORB components across all these operating systems. Users running Chrome 149.0.7827.53 or later are protected.
Exploitability
This vulnerability has a low barrier to exploitation. An attacker needs only to craft a malicious HTML page and trick a user into visiting it (via phishing, watering hole, or ad network compromise). No special network position, authentication, or advanced techniques are required. The attack surface is the web itself—any site or embed can host the payload. However, the vulnerability is not currently listed on the CISA KEV catalog, suggesting limited evidence of active, widespread exploitation in the wild as of the publication date.
Remediation
Immediate patching to Chrome 149.0.7827.53 or later is the only mitigation. Users should enable automatic updates or manually update via Settings > About > Google Chrome. Administrators managing Chrome on enterprise devices should deploy this version through their standard patch management tools. There are no known workarounds for the underlying ORB flaw; updating the browser is essential.
Patch guidance
Verify your Chrome version by navigating to chrome://version/. If the version is below 149.0.7827.53, initiate an update immediately. Chrome typically auto-updates, but you can force a check by clicking the menu (three dots), selecting 'About Google Chrome,' and allowing the download and restart. For macOS, Windows, and Linux users, the patch process is identical. Enterprise deployments should push 149.0.7827.53 or later through their configuration management system. After patching, confirm the browser version has changed before resuming normal browsing.
Detection guidance
Monitor Chrome version compliance across your organization using endpoint detection tools or Mobile Device Management (MDM) solutions. Flag any systems running Chrome versions below 149.0.7827.53 for immediate patching. Additionally, monitor for suspicious activity patterns in user accounts (unusual login locations, new device registrations) that might indicate credential theft via site isolation bypass. Web proxies or DNS logs cannot block this attack since the malicious page can be hosted anywhere; detection relies on version inventory and behavioral anomalies in user accounts.
Why prioritize this
This vulnerability merits urgent attention due to the HIGH CVSS score (8.8), low attack complexity, and the fundamental nature of site isolation as a Chrome security pillar. Even without current KEV listing, the ease of exploitation and potential for widespread credential theft in any environment where users browse untrusted content makes this a top-tier patch priority. Delay increases the window for targeted exploitation, particularly in social engineering campaigns.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: (1) Network accessibility (AV:N) with no authentication required (PR:N); (2) low attack complexity (AC:L), meaning the attack does not require user-specific conditions beyond clicking a link; (3) user interaction (UI:R) is required—the victim must visit the malicious page; (4) high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) because the attacker can read cross-origin data, inject content, or destabilize the browser state. The boundary between HIGH (CVSS 7.0–8.9) and CRITICAL (9.0+) is crossed by the UI:R requirement, which introduces friction. Nevertheless, 8.8 correctly signals a severe flaw demanding immediate remediation.
Frequently asked questions
If I use Chrome with no other tabs open, am I safe from this vulnerability?
Partially safer, but not completely secure. The vulnerability allows breaking site isolation, which primarily matters when multiple origins are loaded. However, an attacker could still extract cached data, cookies, or browser state tied to previous sessions. Additionally, you may not know all the frames and origins loaded in your current page (ads, analytics, etc.), so it's safest to patch regardless.
Does using Chrome in incognito mode protect me?
Incognito mode isolates browsing history and cookies, but site isolation itself is the target. The ORB flaw affects both normal and incognito sessions. Incognito offers no additional protection against this specific vulnerability; patching is still required.
What should IT administrators do to enforce this patch?
Deploy Chrome 149.0.7827.53 or later through your standard patch management system (Group Policy for Windows, configuration profiles for macOS, or Linux package managers). Set update policies that prevent downgrade and monitor compliance. For BYOD environments, send alerts to users and incentivize immediate updates. Consider blocking older Chrome versions at the proxy if your organization allows it.
Is there any relationship between this vulnerability and the Chromium security severity being listed as 'Medium'?
No, the Chromium project's internal severity classification ('Medium') differs from the CVSS score (8.8/HIGH). Chromium uses a separate risk model that may weigh different factors. The CVSS score is the industry standard for severity and should be used for prioritization decisions. Always reference the CVSS score when assessing impact.
This vulnerability intelligence is based on data current as of June 2026. Patch version numbers, affected versions, and timelines reference official Google advisories and the provided CVE record. Always verify patch applicability against the official Chromium security advisory before deployment. No actual exploit code or weaponized proof-of-concept is provided; this content is for defensive purposes only. Organizations should test patches in a controlled environment before broad rollout. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11187MEDIUMChrome Navigation Restriction Bypass Vulnerability
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)
- CVE-2026-11193MEDIUMChrome Password Manager Access Control Bypass – CVSS 6.5
- CVE-2026-11197MEDIUMChrome Same-Origin Policy Bypass in Workers – Patch v149.0.7827.53