Description
Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow in the V8 JavaScript engine of Google Chrome allows a remote attacker to trigger arbitrary code execution inside a sandboxed process by serving a crafted HTML page. The weakness, identified as CWE-190 and CWE-472, can result in compromised confidentiality and integrity of the victim system when the attacker escapes the browser sandbox.

Affected Systems

Google Chrome desktop releases prior to version 149.0.7827.53 on Windows, macOS, and Linux are affected. Users of any of these operating systems with earlier Chrome builds should verify that their browser version is out of scope.

Risk and Exploitability

The attack vector requires delivery of a malicious HTML page to the vulnerable browser. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The high CVSS score of 8.8 reflects the significant impact if an exploit is discovered. Based on the low EPSS score, it can be inferred that active exploitation is unlikely, though high severity warrants vigilance.

Generated by OpenCVE AI on June 7, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest stable Chrome version (149.0.7827.53 or newer).
  • Restrict JavaScript execution from untrusted or unknown sites to reduce the attack surface.
  • When possible, run potentially malicious web content in a separate isolated environment, such as a virtual machine or sandboxed application, to contain any exploitation.

Generated by OpenCVE AI on June 7, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Integer overflow in V8
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Integer Overflow in V8 Enabling Remote Code Execution

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in V8 Enabling Remote Code Execution

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-472
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:56:54.230Z

Reserved: 2026-06-04T17:06:16.875Z

Link: CVE-2026-10963

cve-icon Vulnrichment

Updated: 2026-06-05T00:18:11.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:16:59.390

Modified: 2026-06-05T15:34:07.237

Link: CVE-2026-10963

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10963 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:15:03Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound

  • CWE-472

    External Control of Assumed-Immutable Web Parameter