CVE-2026-9979: Chrome Site Isolation Bypass
CVE-2026-9979 is a site isolation bypass vulnerability in Google Chrome that allows an attacker to escape the security boundary between different websites if they have already compromised Chrome's rendering engine. An attacker would need to trick a user into visiting a malicious HTML page while the renderer process is already under their control. Site isolation is Chrome's core defense mechanism that prevents one website's scripts from accessing another website's data; this vulnerability undermines that protection in a limited but serious scenario.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient validation of untrusted input within Chrome's input handling mechanisms prior to version 148.0.7778.216. The flaw permits a threat actor who has achieved renderer process compromise to bypass site isolation—Chrome's sandboxing architecture that isolates web content by site—through a specially crafted HTML page. The attack requires both renderer process compromise and user interaction, significantly limiting the practical attack surface. The Chromium security team classified this as High severity at the engine level, though the CVSS 3.1 score reflects the additional prerequisites.
Business impact
For most users, the direct risk is moderate because exploitation requires a prior renderer compromise. However, organizations where users frequently visit untrusted content or where advanced adversaries operate should treat this seriously. The impact is confined to confidentiality, integrity, and availability within the context of a single compromised browser session—not system-wide. Enterprises with strict browsing policies and defense-in-depth controls will see minimal incremental risk; those with lax endpoint security or high-risk user populations should prioritize patching.
Affected systems
Google Chrome on Windows, macOS, and Linux systems running versions prior to 148.0.7778.216 are affected. The vulnerability is engine-level and affects all Chrome instances on these operating systems. Chromium-based browsers (Edge, Brave, Opera, etc.) may also be vulnerable if they incorporate the affected code path before their own patching cycles complete.
Exploitability
Real-world exploitation requires two conditions: (1) the attacker must first compromise Chrome's renderer process through a separate vulnerability or attack vector, and (2) the user must then visit a malicious HTML page crafted to trigger the site isolation bypass. This two-stage dependency significantly reduces exploitability compared to a direct renderer RCE. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no observed active exploitation in the wild as of the last update.
Remediation
Update Google Chrome to version 148.0.7778.216 or later. Users on Windows, macOS, and Linux should enable automatic updates or manually check via Settings > About Google Chrome. For managed enterprises, deploy the update through your standard patch management workflow. Because this flaw requires renderer compromise as a prerequisite, it should be prioritized alongside any critical renderer vulnerabilities in your threat model but does not constitute an emergency on its own.
Patch guidance
Google has issued Chrome version 148.0.7778.216 as the fix. Most users will receive this automatically if auto-update is enabled (the default). Manual verification: open Chrome menu > Settings > About; Chrome will check for updates and install if available. For IT administrators, validate that your device management policies have pushed this version to endpoints and monitor compliance. If you run Chromium-based alternatives (Edge, Brave), cross-reference their release notes to confirm they have incorporated the upstream Chromium fix.
Detection guidance
Monitor for Chrome versions below 148.0.7778.216 in your environment via endpoint detection tools or MDM solutions. Behavioral detection is difficult without indicators of prior renderer compromise. Log and alert on unusual renderer process crashes or unexplained memory dumps, which may indicate exploitation attempts. For advanced threat hunting, correlate site isolation bypass attempts with prior RCE exploits or watering-hole campaigns on your network.
Why prioritize this
Although CVSS is rated MEDIUM (5.0), the Chromium engine severity is HIGH, reflecting the severity of site isolation bypass as an architectural concern. However, the practical prioritization should be MEDIUM-HIGH rather than critical because active exploitation requires an upstream renderer compromise. Prioritize this patch for users in high-risk environments (journalists, activists, corporate targets of APTs) and ensure it is included in your regular monthly Chrome update cycle. For general user populations, treat as routine maintenance.
Risk score, explained
The CVSS 3.1 score of 5.0 (MEDIUM) reflects: network-accessible attack vector, high complexity (requires renderer compromise plus user interaction), no privileges required, user interaction required, and limited impact scoped to confidentiality, integrity, and availability. While Chromium's internal severity is High, CVSS appropriately downrates this because the vulnerability cannot be exploited in isolation—it is a post-compromise capability rather than an initial access vector. The score accurately represents real-world risk for most users.
Frequently asked questions
Do I need to patch this immediately?
Not necessarily. This vulnerability requires your Chrome renderer process to be compromised first, which is a serious but separate incident. If you keep Chrome and other software up to date, your risk is already mitigated. Apply the patch in your normal monthly update cycle. Prioritize immediately only if you work in a high-risk industry or have evidence of targeted attacks.
What does 'site isolation' mean and why is bypassing it dangerous?
Site isolation is Chrome's security boundary that prevents JavaScript from one website from reading data (cookies, passwords, session tokens) from another website. If an attacker bypasses it after compromising your renderer, they could steal sensitive information from multiple sites in your browser session. This is serious but limited to that one browser session.
Will I be automatically patched?
Yes, if you have Chrome's automatic updates enabled (the default setting). Chrome will download and install version 148.0.7778.216 in the background and apply it on the next restart. To verify, go to Settings > About Google Chrome—if you see 'Checking for updates' and then a version number of 148.0.7778.216 or higher, you are patched.
Does this affect other browsers like Firefox or Safari?
No, this vulnerability is specific to Chrome and Chromium-based browsers. However, Chromium-based alternatives (Microsoft Edge, Brave, Opera) may be affected if they have not yet incorporated the fix from upstream Chromium. Check your browser's update status separately. Firefox and Safari use different rendering engines and are not impacted.
This analysis is provided for educational and operational security purposes. CVSS scores, affected versions, and patch information are derived from official Chromium and vendor advisories; verify against the latest vendor documentation before deployment. Exploitation requires multiple prerequisites and is not documented in active use. No exploit code or weaponized proof-of-concept is provided. Security decisions should be made in the context of your organization's risk tolerance, asset criticality, and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls