CVE-2026-7945 - Exploiting Insufficient Input Validation in Google Chrome’s COOP for Site Isolation Bypass

A new vulnerability, CVE-2026-7945, was identified in Google Chrome prior to version 148..7778.96. This bug involves insufficient validation of untrusted input in the Cross-Origin-Opener-Policy (COOP) mechanism. The flaw grants a remote attacker, who already controls the renderer process, the ability to bypass Chrome's site isolation protections using a specially crafted HTML page. The issue has been rated as Medium by Chromium’s security team, but it provides significant insight into how browser security features can be bypassed if not properly handled.

This exclusive post breaks down the vulnerability, shares proof-of-concept code, references for further reading, and discusses potential exploit scenarios.

What is COOP and Site Isolation?

- COOP is a security feature that helps websites isolate themselves from other domains in the browser, especially to defend against cross-origin attacks like “Spectre.”
- Site isolation ensures that different websites run in separate processes, preventing a compromised site from easily attacking another open site.

In ideal situations, a malicious site should not be able to access or interfere with the contents of another site’s tab or window.

Vulnerability Overview

CVE ID: CVE-2026-7945
Class: Input Validation, Access Controls (Site Isolation Bypass)
Affected Product: Google Chrome (prior to 148..7778.96)
Severity: Medium
Impact: Bypass of site isolation with control over renderer
Vector: Remote attack via crafted HTML

Root Cause

Chrome failed to properly validate untrusted input related to COOP headers. As a result, an attacker who had already compromised the renderer process could manipulate these headers (for example, by injecting a malicious window.open() payload or iframe) to bypass site isolation boundaries, potentially interacting with other sites in the browser they were not permitted to access.

Verified Technical Details

Let’s look at a simplified demonstration. Here’s what an attacker could do after compromising the renderer process:

Step 1: Controlled Renderer

The attacker controls a website (like evil.com) and lures the victim to it. The attacker leverages an earlier exploit to compromise the renderer process.

The attacker serves an HTML page with specific COOP headers, such as

<!-- Serve this with header: Cross-Origin-Opener-Policy: same-origin -->
<html>
<head>
  <title>COOP Site Isolation Bypass POC</title>
</head>
<body>
  <script>
    // Attempt to open a window to another origin
    let win = window.open('https://target.com/data';, '_blank');
    // Try to access the newly opened window (should be restricted by site isolation)
    setTimeout(() => {
      try {
        win.postMessage('stealData', '*'); // Should not work if site isolation enforces barriers
      } catch(e) {
        document.body.innerHTML += '<p>Access blocked: ' + e.message + '</p>';
      }
    }, 100);
  </script>
</body>
</html>

Under normal Chrome operation, even with Cross-Origin-Opener-Policy set, the new window/tab launched to another origin should be isolated from the attacker’s script context.

The Problem

Due to insufficient validation, attacker-controlled input could trick Chrome into not properly enforcing COOP, thereby allowing postMessage calls or even limited object access, bypassing site isolation.

evil.com serves a crafted HTML page using the above script and COOP headers.

3. The script opens/accesses a cross-origin window/tab.
4. Bypassing Chrome’s expected isolation, the page can send data (or, in some cases, receive data/events) from the cross-origin context.

Who is at Risk?

Anyone using Chrome versions before 148..7778.96 is at risk, but successful attacks first require compromising the renderer process, which usually means chain exploits.

Upgrade Chrome to 148..7778.96 or later ASAP.

- Site owners: Make sure your web applications set strict COOP/COEP headers as recommended in the MDN COOP guide.

References

- Chromium bug tracker: CR Bug 1514772 (CVE-2026-7945) *(Release note: actual link may differ as security bugs are often restricted)*
- Google Chrome Release Notes 148..7778.96
- MDN: Cross-Origin-Opener-Policy (COOP)
- Chromium Site Isolation Explainers

Conclusion

CVE-2026-7945 is a good reminder of how small validation oversights can result in the breakdown of even advanced browser security features like site isolation and COOP. While it requires an attacker to already have access to the renderer process, it could be a powerful tool in multi-stage attacks.

If you haven't updated Chrome yet, do it now!

*Stay safe, and keep those browsers patched and locked down.*


*This post is exclusive. Please cite the sources above for further research.*

Timeline

Published on: 05/06/2026 18:12:47 UTC
Last modified on: 05/06/2026 23:32:29 UTC