MEDIUM 4.3

CVE-2026-11234: Chrome FoldableAPIs Site Isolation Bypass (149.0.7827.53)

Google Chrome versions before 149.0.7827.53 contain a vulnerability in the FoldableAPIs feature that allows a remote attacker to bypass site isolation—Chrome's core security boundary that separates web pages from each other—if the attacker has already compromised the renderer process. Site isolation is one of Chrome's strongest defenses against malicious websites stealing data from other tabs or extensions. This vulnerability requires both a compromised renderer and user interaction, limiting the immediate threat but warranting timely patching.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-693
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in FoldableAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from inappropriate implementation in FoldableAPIs, a Chrome feature that handles foldable device display modes. CWE-693 (Protection Mechanism Failure) indicates the site isolation boundary—which normally compartmentalizes renderer processes to prevent cross-origin data theft—can be bypassed through a crafted HTML page when an attacker controls the renderer process. The attack chain requires prior renderer compromise, suggesting this is a secondary exploitation stage rather than a primary entry vector. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) reflects network attack surface, low complexity, user interaction requirement, and confidentiality impact only.

Business impact

This vulnerability presents moderate risk in multi-user or shared-device environments where tab isolation is relied upon to prevent data leakage. If an attacker has already compromised a renderer process (for example, through a prior browser exploit or malicious extension), they could read sensitive data from other open tabs, potentially extracting authentication tokens, personal information, or corporate credentials. The requirement for prior renderer compromise limits the immediate business exposure, but it does lower the barrier for attackers already inside the browser sandbox to escalate their capabilities.

Affected systems

Google Chrome prior to version 149.0.7827.53 is directly affected. The vulnerability also impacts Chrome on Windows, macOS, and Linux systems. While the CVE lists Apple macOS, Linux kernel, and Microsoft Windows as affected vendors/products, this reflects the operating systems on which vulnerable Chrome instances run; the vulnerability is in Chrome itself, not the OS.

Exploitability

Exploitation requires two preconditions: (1) the attacker must have already compromised the Chrome renderer process, and (2) the user must interact with a crafted HTML page delivered by the attacker. The vulnerability is not exploitable by simply visiting a malicious website without prior renderer compromise. Chromium's internal severity rating is Low, and the CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no active exploitation in the wild at the time of publication.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. On Windows and macOS, Chrome typically auto-updates; however, users should verify they are running the patched version via Settings > About Google Chrome. Linux users should check their distribution's package manager for the updated Chrome version or use the official Google Chrome repository. Organizations managing Chrome deployments should use group policies or Mobile Device Management (MDM) solutions to enforce updates across their estate.

Patch guidance

Chrome patches are released through the stable channel and roll out gradually. Verify you are running 149.0.7827.53 or later by navigating to chrome://settings/help, which will show your current version and initiate an update check if needed. If your organization uses Chrome for Business or Chromebooks, ensure that auto-update is enabled and that managed devices check in regularly. No interim mitigations exist; patching is the only remediation.

Detection guidance

Monitor for unusual tab-to-tab communication or unexpected data access patterns within Chrome processes using browser-level telemetry or debugging tools. However, detection is challenging because the vulnerability requires prior renderer compromise; focus detection efforts upstream on identifying how the renderer was compromised in the first place (e.g., memory corruption exploits, malicious extensions). Check Chrome logs and crash reports (chrome://crashes) for unexpected renderer process terminations or sandbox violations that might indicate exploitation attempts.

Why prioritize this

Although the CVSS score is 4.3 (MEDIUM) and the Chromium severity is Low, this vulnerability merits patching within your standard Chrome update cycle because it represents a secondary-stage attack that could meaningfully increase damage from a primary browser exploit. The lack of KEV listing and observed exploitation suggests current risk is lower than baseline, making this suitable for routine patching rather than emergency response. Organizations with high-value data, strict data segregation requirements, or previous Chrome exploit incidents should prioritize this patch more aggressively.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects the network attack vector, low attack complexity, and requirement for user interaction. The 'confidentiality impact (Low)' and 'no integrity or availability impact' classify this as information disclosure. The score does not account for the prerequisite of renderer compromise, which in practice significantly lowers real-world risk. Chromium's own Low severity rating aligns with this assessment. The vulnerability is less critical than exploitable memory safety issues or universal sandbox escapes, but more serious than minor usability or performance bugs.

Frequently asked questions

Does this vulnerability allow attackers to compromise Chrome just by visiting a website?

No. The attacker must have already compromised the Chrome renderer process through a separate vulnerability or attack. Once inside the renderer, they can use this vulnerability to read data from other browser tabs. This is a privilege-escalation or capability-expansion vulnerability, not a primary entry point.

If I update Chrome to 149.0.7827.53, am I protected?

Yes. The patch fixes the FoldableAPIs implementation to properly enforce site isolation. After updating, the vulnerability is resolved. Chrome auto-updates by default on most platforms, but you can manually check chrome://settings/help to confirm you are on the patched version.

What is site isolation and why does it matter?

Site isolation is Chrome's security architecture that runs each website in its own OS-level process, preventing one malicious website from reading data in another website's tab or extension. Bypassing it—as this vulnerability allows—could expose authentication cookies, form data, or other sensitive information across tabs. Site isolation is one of Chrome's strongest defenses.

Is this vulnerability being actively exploited?

No. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog, and Chromium's internal severity is Low, indicating no observed active exploitation in the wild. However, it is prudent to apply the patch during your regular update cycle.

This analysis is provided for informational purposes and reflects publicly available information from official sources. SEC.co does not warrant the accuracy or completeness of this analysis and does not assume liability for any use or reliance on this information. Consult official vendor advisories and your organization's security policies before implementing any remediation. No exploit code or proof-of-concept details are provided. Patching advice is general and should be validated against your specific environment and Chrome deployment method. CVSS scores and severity ratings are sourced from official CVE and Chromium records. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).