Description
Inappropriate implementation in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the V8 JavaScript engine of Google Chrome and allows a remote attacker to execute arbitrary code within the sandbox by serving a specially crafted HTML page. The flaw arises from an inappropriate implementation that fails to properly isolate execution context. This vulnerability involves a memory corruption flaw (CWE-119 and CWE-125). Successful exploitation would let the attacker run code with the privileges of the Chrome renderer process, potentially bypassing the browser’s sandbox protections and compromising the host system.

Affected Systems

All users of Google Chrome on desktop platforms running a version prior to 149.0.7827.53 are affected. Versions of the stable channel that have not yet been updated to 149.0.7827.53 or later are vulnerable, regardless of operating system.

Risk and Exploitability

The vulnerability is rated as high severity by Chromium security. Because the attack requires only a crafted web page, the attack vector is remote and can be triggered by any site the user visits or any email containing a malicious link. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but the lack of a public exploit does not mitigate the inherent risk of remote code execution. Therefore, the likelihood of exploitation remains significant for attackers targeting Chromium users who have not applied the latest update.

Generated by OpenCVE AI on June 5, 2026 at 03:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable release (149.0.7827.53 or newer).
  • If an immediate update is not possible, restrict the browser’s ability to render potentially malicious content by enabling a strict Content Security Policy and disabling JavaScript for untrusted sites.
  • Consider temporarily blocking access to the site or URL that serves the malicious content until the update can be applied.
  • Monitor browser activity for unexpected process launches or elevated privilege use, which may indicate exploitation attempts.

Generated by OpenCVE AI on June 5, 2026 at 03:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Inappropriate V8 Implementation Enables Remote Code Execution in Chrome
Weaknesses CWE-119
CWE-125

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:03:32.294Z

Reserved: 2026-06-04T17:06:00.599Z

Link: CVE-2026-10904

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:52.183

Modified: 2026-06-04T23:16:52.183

Link: CVE-2026-10904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:15:16Z

Weaknesses