site isolation bypass

About this tag
The site isolation bypass tag covers vulnerabilities in Chromium-based browsers that allow an attacker to circumvent Chrome's site isolation security feature, even after compromising the renderer process. Recent discussions focus on CVE-2026-7910 and CVE-2026-7959, both affecting Chrome 148 on Windows. These flaws highlight the complexity of browser security, where a bypass after renderer compromise can undermine the isolation between sites. For Windows IT administrators, the practical takeaway is to inventory browser build numbers and verify patches across all Chromium-derived browsers, as vulnerability databases may not fully capture the ecosystem. The tag emphasizes the need for proactive patching and understanding the limits of site isolation as a defense.
  1. CVE-2026-13806: Chrome 150 Accessibility Fix Bypasses Site Isolation After Renderer Compromise

    Google fixed CVE-2026-13806 in Chrome 150.0.7871.47 for Windows and Mac after disclosing that earlier builds allowed a remote attacker, already inside Chrome’s renderer process, to bypass site isolation through a crafted HTML page using insufficient input validation in Accessibility. The...
  2. CVE-2026-7910: Chrome 148 Use-After-Free & Site Isolation Bypass—What Windows IT Must Do

    CVE-2026-7910 is a high-severity Chromium use-after-free flaw in the Views component, fixed in Google Chrome 148.0.7778.96/97 on May 5, 2026, and NVD’s current enrichment already includes the Google Chrome CPE, with Windows, Linux, and macOS modeled as underlying platforms. That means the...
  3. CVE-2026-7959: Chrome 148 Navigation Site Isolation Bypass—Why Windows Admins Should Patch

    Google and Microsoft disclosed CVE-2026-7959 on May 6, 2026, after Chrome 148 reached the stable desktop channel, fixing a medium-severity Chromium Navigation flaw that could let an attacker who had already compromised Chrome’s renderer bypass site isolation with a crafted HTML page. That...