Description
Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A type confusion vulnerability in V8 can let an attacker execute arbitrary code inside the Chrome renderer sandbox by loading a specially crafted HTML page. The flaw is a mismatch between expected and actual JavaScript types, allowing control over memory to create malformed objects that are later used in privileged code paths. This weakness corresponds to CWE-843.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity, and is exploitable from a remote web page, allowing code execution within the sandbox. No EPSS value is available, and it is not listed in CISA’s KEV catalog. The attack vector is likely a crafted URL or embedded script that a user opens or visits in Chrome.

Generated by OpenCVE AI on June 5, 2026 at 04:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 149.0.7827.53 or later.
  • If an update is not immediately available, disable JavaScript in Chrome settings to reduce the attack surface.
  • Continuously monitor Chrome update channels for further patches and apply them as soon as they become available.

Generated by OpenCVE AI on June 5, 2026 at 04:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Type Confusion in V8 Enabling Remote Code Execution via Crafted HTML

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-843
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:42:27.805Z

Reserved: 2026-06-04T17:06:10.305Z

Link: CVE-2026-10936

cve-icon Vulnrichment

Updated: 2026-06-05T00:40:45.682Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:56.117

Modified: 2026-06-05T02:16:58.043

Link: CVE-2026-10936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:45:32Z

Weaknesses