
PEACH
Un cadre d’isolation des locataires
CVE-2026-14156 is a security feature bypass vulnerability caused by insufficient policy enforcement in the StorageAccessAPI component of Google Chrome. It affects all versions of Google Chrome prior to 150.0.7871.47 on Windows, Mac, and Linux. A remote attacker who has already compromised the renderer process can exploit this flaw to bypass the same-origin policy via a crafted HTML page. The vulnerability was published on June 30, 2026, and is rated Low severity by the Chromium security team; a formal CVSS score has not yet been assigned (GitHub Advisory, Chrome Releases).
The root cause is insufficient policy enforcement in Chrome's StorageAccessAPI, which governs cross-origin storage access permissions (CWE classification not yet formally assigned). When a renderer process has been compromised, an attacker can craft a malicious HTML page that exploits the lax policy checks in StorageAccessAPI to circumvent same-origin policy restrictions. Exploitation requires a pre-existing renderer process compromise as a precondition, making this a second-stage or chained vulnerability rather than a standalone entry point. The Chromium issue tracker entry (issue 518247789) is currently restricted pending broader user updates (GitHub Advisory, Chrome Releases).
Successful exploitation allows an attacker with a compromised renderer process to bypass the same-origin policy, gaining unauthorized access to storage and resources belonging to different origins that should otherwise be isolated. This could expose sensitive data stored in cross-origin contexts such as cookies, localStorage, or IndexedDB, and may facilitate further lateral movement within a browser session. The impact is constrained by the prerequisite of a compromised renderer, limiting the blast radius compared to unauthenticated vulnerabilities, but it can meaningfully amplify the damage of a renderer exploit chain (GitHub Advisory).
Google has released a patch in Chrome version 150.0.7871.47 (Windows/Mac) and 150.0.7871.46 (Linux), which is part of the Chrome 151 stable channel promotion. Users and administrators should update Google Chrome to version 150.0.7871.47 or later immediately. No configuration-based workarounds have been published; updating to the patched version is the only recommended remediation. Enterprise administrators should ensure managed devices receive the update promptly and monitor for signs of renderer process compromise, as this vulnerability requires such a precondition (Chrome Releases).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."