Description
Use after free in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in Chrome’s Network component that can be triggered from a crafted HTML page. It allows a remote attacker who has already compromised the renderer process to cause a sandbox escape, potentially executing arbitrary code with the privileges of the browser or the host. This vulnerability involves a high‑severity memory‑safety weakness (CWE‑416) and a related data‑flow issue (CWE‑825).

Affected Systems

Google Chrome versions before 149.0.7827.53 on desktop platforms are affected; the bug exists in the Network component of the renderer process.

Risk and Exploitability

The EPSS score is available and is less than 1%, and the vulnerability is not listed in KEV, yet its high severity and the ability to escape the sandbox mean a successful exploit could lead to full system compromise. The CVSS score is 8.3. An attacker must first breach the renderer process, a non‑trivial requirement, but the impact once achieved is severe.

Generated by OpenCVE AI on June 7, 2026 at 14:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later.
  • Run Chrome with the least privileges necessary, for example by using a dedicated low‑privilege user account or applying OS‑level sandboxing.
  • Monitor renderer processes for crashes or unusual activity and investigate any anomalies that could indicate exploitation attempts.

Generated by OpenCVE AI on June 7, 2026 at 14:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Network
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome Network Enables Sandbox Escape via Crafted HTML

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome Network Enables Sandbox Escape via Crafted HTML

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:43:40.596Z

Reserved: 2026-06-04T17:06:00.846Z

Link: CVE-2026-10905

cve-icon Vulnrichment

Updated: 2026-06-05T01:39:32.819Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:16:52.313

Modified: 2026-06-05T20:01:27.847

Link: CVE-2026-10905

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10905 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T14:15:07Z

Weaknesses