Description
Insufficient validation of untrusted input in WebShare in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the validation of untrusted input within the WebShare component of Google Chrome for macOS allowed a remote attacker who had already compromised the renderer process to craft a malicious HTML page that could potentially escape the renderer sandbox. The weakness is a classic input validation failure (CWE‑20) that could lead to execution of arbitrary code with higher privileges. The official Chromium severity rating for this issue is High.

Affected Systems

Google Chrome for macOS versions prior to 149.0.7827.53 are affected. Versions equal to or newer than 149.0.7827.53 contain the fix and are not vulnerable.

Risk and Exploitability

An attacker must obtain code‑execution or some other foothold within the renderer process and then serve a specially crafted HTML page to trigger the sandbox escape. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Despite the lack of recent exploitation data, the CVSS score of 8.3 and the remote nature of the flaw make it a significant risk for users running affected Chrome versions.

Generated by OpenCVE AI on June 5, 2026 at 05:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on macOS to version 149.0.7827.53 or later, which contains the fixed handling of WebShare inputs.
  • Ensure Chrome’s automatic update mechanism is enabled so future security patches are applied without manual intervention.
  • Launch Chrome with the '--disable-features=WebShare' flag or use enterprise policy to disable WebShare until the patch is applied.

Generated by OpenCVE AI on June 5, 2026 at 05:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Insufficient Validation in WebShare Allows Potential Sandbox Escape in Chrome for macOS

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Insufficient Validation in WebShare Allows Potential Sandbox Escape in Chrome for macOS
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebShare in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:41:38.494Z

Reserved: 2026-06-04T17:06:06.485Z

Link: CVE-2026-10920

cve-icon Vulnrichment

Updated: 2026-06-05T01:38:53.053Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:54.263

Modified: 2026-06-05T02:16:56.003

Link: CVE-2026-10920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses