PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9980 Google CVE debrief

A site isolation bypass in Google Chrome's Printing component, rated High severity by Chromium. The flaw stems from insufficient validation of untrusted input and could allow a remote attacker who has already compromised the renderer process to bypass site isolation protections via a crafted HTML page. The vulnerability affects Chrome versions prior to 148.0.7778.216. The CVE was published on 2026-05-28 and modified on 2026-05-29; it is currently listed as Undergoing Analysis in the NVD. No known exploitation in ransomware campaigns has been documented (not present in CISA KEV).

Vendor
Google
Product
Chrome
CVSS
MEDIUM 5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with large Chrome deployments, particularly those handling sensitive cross-origin data in browser sessions. Security teams monitoring for renderer compromise chains and site isolation bypass techniques. Endpoint administrators responsible for browser patch management.

Technical summary

The vulnerability exists in Chrome's Printing functionality where untrusted input is not sufficiently validated. An attacker who has already achieved renderer process compromise can craft a malicious HTML page to bypass site isolation, potentially enabling cross-origin data access that site isolation normally prevents. The attack requires user interaction (UI:R) and high attack complexity (AC:H) per the CVSS vector, with network-based exploitation vector (AV:N) and no privileges required (PR:N). The confidentiality, integrity, and availability impacts are all rated low (C:L/I:L/A:L). The fix was released in Chrome Stable channel update 148.0.7778.216.

Defensive priority

medium

Recommended defensive actions

  • Update Google Chrome to version 148.0.7778.216 or later to address the site isolation bypass in the Printing component.
  • Prioritize patching on endpoints where untrusted web content is routinely rendered, particularly if other renderer compromise mitigations are not fully deployed.
  • Monitor for unusual cross-origin data access or renderer process anomalies that could indicate attempted exploitation of this class of vulnerability.
  • Review printing-related policies and consider restricting automatic print preview or silent printing features for untrusted sites as a defense-in-depth measure.

Evidence notes

The vulnerability description and affected product information are sourced from the official CVE record and NVD entry. Vendor attribution to Google is inferred from the Chrome release notes reference domain (chromereleases.googleblog.com) and the chromium.org issue tracker reference, though the vendor field in the source data is marked low-confidence and flagged for review. The CVSS base score of 5.0 (MEDIUM) and CVSS:3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L are taken from NVD metadata. CWE-20 (Improper Input Validation) is listed as a secondary weakness.

Official resources

2026-05-28