PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9979 Google CVE debrief

A site isolation bypass vulnerability in Google Chrome's Input handling, rated Medium severity (CVSS 5.0), was disclosed on May 28, 2026. The flaw stems from insufficient validation of untrusted input and requires an attacker to first compromise the renderer process, then leverage a crafted HTML page to bypass site isolation protections. The Chromium security team assigned this a High severity rating internally. Chrome stable channel update 148.0.7778.216 contains the fix. The vulnerability is classified under CWE-20 (Improper Input Validation). No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with large Chrome deployments, especially those handling sensitive cross-origin data in browser sessions, should prioritize this patch. Security teams monitoring for renderer exploitation chains should include this in detection coverage. Managed service providers supporting Chrome Enterprise environments should validate update compliance.

Technical summary

The vulnerability exists in Chrome's Input component where untrusted input is not sufficiently validated. An attacker who has already achieved renderer process compromise—a significant precondition—can craft a malicious HTML page to bypass site isolation. Site isolation is a critical Chrome security boundary that prevents cross-site data exfiltration even when renderer processes are compromised. Successful bypass could allow cross-origin data access. The attack requires user interaction (UI:R) and high attack complexity (AC:H) per the CVSS vector, with network attack vector (AV:N) but no privileges required (PR:N). The confidentiality, integrity, and availability impacts are all rated Low.

Defensive priority

medium

Recommended defensive actions

  • Update Google Chrome to version 148.0.7778.216 or later as soon as feasible given organizational patch cycles
  • Verify endpoint management systems report Chrome installations at or above the patched version
  • Review browser isolation policies and consider additional site isolation hardening where renderer compromise is a concern
  • Monitor for anomalous renderer process behavior that could indicate preconditions for this vulnerability being met
  • Assess whether managed browser configurations restrict navigation to untrusted origins that could deliver crafted HTML pages

Evidence notes

CVE description states 'Insufficient validation of untrusted input in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.' CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L. Chromium security severity: High. Weakness: CWE-20. Source references confirm fix in Chrome stable channel update.

Official resources

public