Description
Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A type confusion bug in the V8 JavaScript engine of Google Chrome allows a remote attacker to craft a malicious HTML page that causes the engine to treat data as a different type, enabling the execution of arbitrary code inside the browser's sandbox. This can lead to compromised user sessions and potential data theft or manipulation within the scope of the sandboxed environment.

Affected Systems

Google Chrome desktop browsers running versions prior to 149.0.7827.53 are affected.

Risk and Exploitability

The vulnerability is marked as High severity and does not appear in the CISA KEV catalog. EPSS information is unavailable. Inferred that exploitation requires no local privileges; the likely attack vector is a malicious webpage viewed by the user, indicating HTTP/HTML and remote. The lack of an exploit probability score implies it is a new or recently discovered flaw, but the high CVSS indicates significant impact if successfully exploited.

Generated by OpenCVE AI on June 5, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or newer, which contains the V8 patch.
  • Enable automatic browser updates to ensure future patches are applied promptly.
  • Avoid opening unknown or suspicious HTML files in the browser, and consider isolating web browsing activity in a sandboxed environment or using a separate machine for risky content.

Generated by OpenCVE AI on June 5, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Type Confusion in V8 Leading to Remote Code Execution via HTML

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-843
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:42:57.883Z

Reserved: 2026-06-04T17:06:03.779Z

Link: CVE-2026-10910

cve-icon Vulnrichment

Updated: 2026-06-05T00:40:54.178Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:16:52.943

Modified: 2026-06-05T15:02:34.977

Link: CVE-2026-10910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:45:33Z

Weaknesses