CVE-2026-11689: Chrome Site Isolation Bypass via Renderer Process Compromise
A vulnerability in Google Chrome versions before 149.0.7827.103 allows an attacker who has already compromised Chrome's renderer process to break through site isolation—Chrome's security boundary that keeps websites from accessing each other's data. An attacker would need to trick a user into visiting a malicious webpage after the renderer is already compromised, but if successful, they could read or modify sensitive information across different websites.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11689 stems from insufficient policy enforcement in Chrome's password handling mechanisms. The vulnerability affects the site isolation feature, which sandboxes renderer processes to prevent cross-site data leakage. An attacker with renderer process compromise can craft a malicious HTML page to bypass this isolation boundary. The attack requires a prior compromise of the renderer process and user interaction (visiting the crafted page), but once triggered, grants the attacker High confidentiality and integrity impact. The vulnerability is classified as CWE-20 (Improper Input Validation), indicating that Chrome's policy validation logic did not adequately restrict policy manipulation through specially crafted HTML.
Business impact
This vulnerability poses a significant risk to organizations where users rely on Chrome for accessing sensitive web applications. An attacker who has already compromised a user's Chrome renderer process (through a separate vulnerability or malware) can escalate that compromise to steal credentials, session tokens, or sensitive data from multiple websites simultaneously by bypassing site isolation. For enterprises managing Chrome deployments, this creates a two-stage attack scenario: initial compromise, then site isolation bypass. The window for exploitation closes once users update to the patched version, making timely patching critical for reducing exposure window.
Affected systems
Google Chrome versions prior to 149.0.7827.103 on Windows, macOS, and Linux are affected. The vulnerability's impact is cross-platform; any system running vulnerable Chrome builds is at risk. Linux kernel and Windows OS are listed as affected platforms in the context of Chrome running on those operating systems, not due to flaws in the OS itself.
Exploitability
Exploitation requires two preconditions: (1) the attacker must have already compromised Chrome's renderer process through another attack vector, and (2) the user must then visit an attacker-controlled or attacker-modified webpage. The CVSS vector (AV:N/AC:L/PR:N/UI:R) reflects that the initial network attack is low complexity and requires user interaction, but only after prior renderer compromise. This is not a standalone remote code execution; it is a privilege escalation within an already-compromised browser context. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, indicating no evidence of active exploitation in the wild at the time of publication.
Remediation
Update Google Chrome to version 149.0.7827.103 or later. Chrome's auto-update mechanism typically deploys patches within days; verify that auto-update is enabled in your environment. For managed Chrome deployments (Windows, macOS, Linux), use your organization's policy management tools to enforce the minimum version. No workaround exists for this vulnerability; patching is the only mitigation.
Patch guidance
Verify that Chrome has updated to 149.0.7827.103 or later by checking Help > About Google Chrome, which will display the current version and auto-update status. For Windows enterprise environments, use Group Policy or Cloud Management to enforce the minimum version. macOS administrators should verify via system preferences or Mobile Device Management. Linux administrators should confirm package managers have provided the patched version. Test the patch in a non-production environment first if possible to ensure compatibility with internal web applications, though this patch addresses only a security boundary and should not break compatibility.
Detection guidance
Monitor Chrome version compliance across your organization using endpoint management tools. Look for users running Chrome versions below 149.0.7827.103. Since exploitation requires prior renderer compromise, investigate any instances of renderer process crashes, unexpected memory access patterns, or security alerts from Chrome's sandbox before this vulnerability is exploited. Network-based detection is difficult because the malicious HTML is user-supplied after compromise; focus on ensuring timely patching rather than post-breach detection. If you suspect a renderer compromise has occurred, isolate the affected system immediately.
Why prioritize this
This vulnerability merits prompt patching despite not yet being actively exploited. The CVSS score of 8.1 (High) reflects significant confidentiality and integrity impact, and the attack surface spans all Chrome users. Although exploitation requires prior renderer compromise, the ease of triggering the bypass once that condition is met makes this a valuable target for multi-stage attacks. Organizations should prioritize updating Chrome within their standard patch windows (typically 1–2 weeks) to close the window where a compromised renderer can be leveraged for further data theft.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: (1) Network-based attack vector—an attacker-controlled page can trigger the bypass; (2) Low attack complexity—no special conditions or user knowledge required beyond visiting the page; (3) No privileges required—a standard user's renderer process is the target; (4) Required user interaction—the user must navigate to the malicious page; (5) High confidentiality impact—data from any website in the same browser profile can be accessed; (6) High integrity impact—the attacker can modify data; (7) No availability impact. The score appropriately reflects the severity of site isolation bypass, though real-world risk is gated by the need for prior renderer compromise.
Frequently asked questions
Does this vulnerability affect Chrome on mobile devices?
CVE-2026-11689 affects Chrome on Windows, macOS, and Linux. Chrome on Android and iOS have different architectures and security models; verify with Google's security advisories whether mobile Chrome versions are affected, as the published data does not specify mobile platform coverage.
What does 'renderer process compromise' mean, and how likely is it?
Chrome runs each tab and extension in a separate renderer process sandboxed from the OS and other processes. A compromise means an attacker has executed code within that sandbox through another vulnerability (e.g., a JavaScript engine bug, extension exploit, or via malware). Such compromises are possible but typically require a separate exploit; this CVE assumes that step has already happened and describes what an attacker can do next.
Can I disable site isolation as a workaround?
Site isolation is a core security feature and should never be disabled. There is no safe workaround for this vulnerability; the only mitigation is to update Chrome to the patched version.
Will Chrome's auto-update mechanism automatically protect me?
If auto-update is enabled (the default), Chrome will download and apply version 149.0.7827.103 or later automatically, typically within a few days of release. In enterprise environments, confirm that auto-update is not disabled by policy and that no blocklists prevent the update.
This analysis is provided for informational purposes and should not be construed as legal or compliance advice. Organizations must independently verify patch applicability to their specific Chrome versions and configurations. The vulnerability details are based on the official published description; refer to Google's official security advisory for the most current information, including any updates to affected versions or patch availability. No exploit code or proof-of-concept is provided. Always test patches in a non-production environment before enterprise-wide deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw
- CVE-2026-11046HIGHChrome Media Sandbox Escape – Patch Now to Version 149.0.7827.53