Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12457

CVE-2026-12457: Google Chrome Auth Bypass Vulnerability

CVE-2026-12457 is an authentication bypass vulnerability in Google Chrome Extensions that allows attackers to bypass site isolation. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-12457 Overview

CVE-2026-12457 is a site isolation bypass vulnerability in the Extensions component of Google Chrome prior to version 149.0.7827.155. An attacker who has already compromised the renderer process can use a crafted HTML page to bypass site isolation boundaries. The flaw is tracked under [CWE-693: Protection Mechanism Failure] and Chromium rates the security severity as High, while NVD assigns a medium CVSS score of 4.2.

The issue affects Chrome installations across Windows, macOS, and Linux desktop platforms. Google has addressed the vulnerability in the stable channel update for desktop.

Critical Impact

A remote attacker with a compromised renderer process can bypass Chrome's site isolation security boundary, undermining cross-origin protection between web content.

Affected Products

  • Google Chrome prior to 149.0.7827.155
  • Chrome desktop on Microsoft Windows
  • Chrome desktop on Apple macOS and Linux

Discovery Timeline

  • 2026-06-17 - CVE-2026-12457 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-12457

Vulnerability Analysis

The vulnerability resides in the Extensions subsystem of Chrome. Site isolation is a defense-in-depth mechanism that places content from different sites into separate renderer processes. This boundary protects sensitive cross-origin data even when a renderer is compromised through another bug.

Exploitation requires two preconditions. First, the attacker must already control the renderer process, typically through chaining with a separate memory corruption or logic flaw. Second, the victim must load a crafted HTML page that triggers the extensions logic path. High attack complexity and required user interaction reduce real-world exploitability, which is reflected in the EPSS probability of 0.191%.

The categorized weakness, Protection Mechanism Failure [CWE-693], indicates the code does not correctly enforce an intended security control rather than introducing a memory safety issue.

Root Cause

The root cause is an inappropriate implementation within Chrome's Extensions handling that fails to consistently honor site isolation invariants. When the extensions code processes content originating from a compromised renderer, origin checks do not block the cross-process or cross-origin operation that site isolation is designed to prevent.

Attack Vector

The attack is delivered over the network through a malicious or attacker-controlled HTML page. The attacker chains a prior renderer compromise with this flaw to read or influence data from another site that would otherwise be isolated. See the Chromium Issue Tracker Entry for additional technical context.

No public proof-of-concept exploit, ExploitDB entry, or evidence of in-the-wild exploitation has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-12457

Indicators of Compromise

  • Chrome browser processes with versions earlier than 149.0.7827.155 observed in endpoint inventory telemetry.
  • Unexpected child processes or extension activity spawned from chrome.exe shortly after navigation to untrusted pages.
  • Outbound connections from renderer processes to domains not associated with the active browsing tab.

Detection Strategies

  • Inventory installed Chrome versions across managed endpoints and flag any build below 149.0.7827.155.
  • Correlate browser crash telemetry, extension install events, and suspicious renderer behavior to surface attempted exploit chains.
  • Monitor for HTML payloads containing unusual extension API invocations served from low-reputation domains.

Monitoring Recommendations

  • Forward Chrome enterprise reporting and endpoint process telemetry to a centralized analytics platform for version compliance and anomaly review.
  • Track Chrome extension install, update, and permission-change events in user environments.
  • Alert on renderer-originated network connections that deviate from expected per-tab origins.

How to Mitigate CVE-2026-12457

Immediate Actions Required

  • Update Chrome on all managed Windows, macOS, and Linux endpoints to version 149.0.7827.155 or later.
  • Verify enterprise auto-update policies are enabled and not blocked by network or proxy configuration.
  • Restart Chrome on user devices after the update to ensure the patched binary is active.

Patch Information

Google released the fix in the Chrome stable channel update for desktop. Details are documented in the Google Chrome Update Announcement. Administrators should deploy 149.0.7827.155 or later across all desktop platforms.

Workarounds

  • Restrict installation of unreviewed Chrome extensions using enterprise policy to reduce attack surface.
  • Apply allow-listing for trusted extensions through the ExtensionInstallAllowlist and ExtensionInstallBlocklist policies until patching is complete.
  • Limit user browsing to trusted sites via web filtering when patch deployment is delayed.
bash
# Verify installed Chrome version on Linux/macOS
google-chrome --version

# Windows: query installed version from registry
reg query "HKLM\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne