Description
Race in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the media codecs of Google Chrome on Windows enables a remote attacker, once they have compromised the renderer process, to potentially escape the sandbox through a specially crafted HTML page. This flaw is classified as CWE‑362 and could allow the attacker to execute arbitrary code with elevated privileges on the host system.

Affected Systems

The vulnerability affects Google Chrome for Windows versions earlier than 149.0.7827.53. Users running these builds are susceptible if a malicious page can obtain renderer process compromise.

Risk and Exploitability

The CVSS score is 8.3, which indicates high severity, and the EPSS score is not available. It is not listed in the CISA KEV catalog. Exploitation requires an attacker to first gain control of the renderer process, which is a significant prerequisite, meaning that, while the potential impact is severe, the likelihood of a successful attack in the wild remains limited without prior compromise.

Generated by OpenCVE AI on June 5, 2026 at 05:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later for all users.
  • Ensure that the browser’s auto-update mechanism is enabled so future security patches are applied automatically.
  • Filter or block navigation to untrusted web content, and employ browser extensions or host settings that enforce tighter sandbox restrictions.

Generated by OpenCVE AI on June 5, 2026 at 05:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Race Condition in Chrome Codecs Allows Sandbox Escape

Fri, 05 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Race Condition in Chrome Codecs Allows Sandbox Escape

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Race in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-362
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:39:37.318Z

Reserved: 2026-06-04T17:06:11.281Z

Link: CVE-2026-10940

cve-icon Vulnrichment

Updated: 2026-06-05T01:38:14.447Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:56.560

Modified: 2026-06-05T02:16:58.393

Link: CVE-2026-10940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses