CVE-2026-11658: Chrome Site Isolation Bypass in Extensions (Medium Severity)
A vulnerability in Google Chrome's extension validation system allows an attacker who has already compromised Chrome's renderer process to bypass site isolation—a critical security boundary that prevents malicious websites from accessing data across different sites. The flaw stems from insufficient checking of untrusted input in the Extensions subsystem. An attacker would need to trick a user into visiting a specially crafted HTML page while the renderer is already compromised, making this a secondary attack that compounds an existing breach rather than a standalone entry point.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11658 is a site isolation bypass vulnerability affecting Google Chrome versions prior to 149.0.7827.103. The root cause is inadequate input validation (CWE-20) in the Extensions component when processing untrusted data. Site isolation is a process-level sandbox that confines each website to its own renderer process, preventing cross-site data theft even if one site is compromised. This vulnerability allows a remote attacker with control over the compromised renderer process to craft an HTML page that circumvents this isolation boundary. The attack requires user interaction (visiting the malicious page) but assumes the renderer is already under attacker control, indicating this is a post-compromise technique rather than a primary exploitation vector.
Business impact
Organizations face elevated risk if employees with compromised Chrome instances visit attacker-controlled sites, potentially leading to theft of sensitive data across multiple websites accessed in that browser session. The practical impact is moderate because the attack requires a prior renderer compromise; however, it significantly increases the damage of an existing browser compromise. Industries handling sensitive customer data, financial services, and healthcare should prioritize patching to prevent data exfiltration scenarios that span multiple internal or external web applications.
Affected systems
Google Chrome versions before 149.0.7827.103 are vulnerable. The vulnerability affects Chrome across all major platforms: Windows, macOS, and Linux. Users and organizations running unpatched versions of Chrome are at risk if their renderer process becomes compromised through other attack vectors.
Exploitability
Exploitation requires two conditions: (1) the renderer process must already be compromised by an attacker, and (2) the user must visit an attacker-controlled or attacker-modified HTML page. The CVSS vector reflects these prerequisites—network-accessible, low attack complexity, no privileges needed, but user interaction required. The vulnerability is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread in-the-wild exploitation has been confirmed by CISA. However, the medium CVSS score and Chromium's High severity rating suggest it warrants prompt patching rather than delayed response.
Remediation
Update Google Chrome to version 149.0.7827.103 or later. Verify the update in Chrome Settings > About Google Chrome, which triggers automatic update checking. Organizations managing Chrome deployments via policy should use enterprise update channels to distribute patches. No workarounds are available for the underlying validation flaw; patching is the only mitigation.
Patch guidance
Patch availability: Chrome 149.0.7827.103 or later contains the fix. Deployment priority should be medium-to-high given the site isolation bypass nature and Chromium's High severity classification. Consider prioritizing systems accessed by employees handling sensitive multi-site workflows (intranet + external vendor portals, for example). Automatic Chrome updates are enabled by default for most users; enterprise administrators should verify successful deployment across their Chrome endpoints within 5–7 days of patch release.
Detection guidance
Detection is challenging because the vulnerability resides in Chrome's internal extension validation logic. Monitor for: (1) Chrome crash dumps or renderer process restarts, which may indicate exploitation attempts; (2) unexpected extension installations or modifications in Chrome profiles; (3) user reports of unusual cross-site data access or authentication anomalies. Browser telemetry and endpoint detection tools that monitor process behavior may flag suspicious renderer activity, but signature-based detection of this specific bypass is difficult. Assume detection will be reactive rather than preventive.
Why prioritize this
While this vulnerability requires a pre-existing renderer compromise, it materially worsens the impact of that compromise by enabling cross-site data theft. The combination of site isolation bypass (a core Chrome security model) and medium-to-high severity rating makes it a priority fix. It ranks below critical vulnerabilities affecting direct code execution paths but above low-severity bugs. Organizations should patch within 2–4 weeks unless they operate in high-data-sensitivity sectors, in which case 1–2 weeks is prudent.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects limited attack complexity and user interaction requirements, but no direct confidentiality impact under the standard scoring model. However, this underweights the practical threat: site isolation is a foundational Chrome security feature, and bypassing it—even post-compromise—amplifies data exfiltration risks. The Chromium security team's High severity rating acknowledges this context. Organizations should treat this as higher-risk than the base CVSS suggests when assessing patch scheduling.
Frequently asked questions
Does this vulnerability allow an attacker to steal data from any website without compromising Chrome first?
No. The vulnerability requires the renderer process to already be compromised. It does not provide a standalone way to break site isolation. It is a secondary attack that amplifies the impact of an existing breach.
Is this vulnerability being actively exploited in the wild?
As of the last update, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no confirmed widespread exploitation has been reported. However, organizations should not delay patching based on this—KEV status lags behind initial disclosure.
Will updating Chrome break my extensions or settings?
No. Chromium and Chrome updates are backward-compatible with validly coded extensions. Only malicious or non-compliant extensions may be affected, which is the intended outcome of the fix.
Can I disable Chrome extensions to reduce my risk until I patch?
Disabling extensions will not prevent this vulnerability if the renderer is already compromised. The vulnerability exists in Chrome's extension validation logic itself, not in third-party extensions. Patching is the correct mitigation.
This analysis is provided for informational purposes and reflects the vulnerability details and patch status as of the published date. Organizations must verify patch availability and applicability to their environment against official Google Chrome release notes and advisories. The assessment of exploitability and business impact is contextual and may vary based on organizational risk profile, Chrome deployment practices, and threat landscape. No liability is assumed for decisions made based on this analysis. Always consult vendor advisories and internal risk frameworks when prioritizing security updates. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls