Description
Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A 32‑bit integer overflow in the V8 JavaScript engine of Google Chrome, found in versions before 149.0.7827.53, permits a remote attacker to execute arbitrary code inside Chrome's sandbox when a specially crafted HTML page is loaded. The flaw is classified as high severity by Chromium, and the potential impact is that the attacker can run code with the restricted privileges of the browser, bypassing normal security boundaries.

Affected Systems

All installations of Google Chrome with a revision older than 149.0.7827.53 are affected. The vulnerability exists in the core V8 engine, meaning that every platform (Windows, macOS, Linux, Android, iOS) running the unauthenticated pre‑149.0.7827.53 build is vulnerable.

Risk and Exploitability

The exploit requires a malicious web page that the user opens, making the attack vector likely a remote web‑based delivery. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, but the CVSS‑derived high severity of 8.8 suggests a substantial risk if left unpatched. An attacker who can convince a user to visit a crafted page can achieve arbitrary code execution within the browser sandbox, which can be leveraged for further escalation or persistence.

Generated by OpenCVE AI on June 5, 2026 at 04:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later, which contains the V8 integer overflow fix.
  • If automatic updates are disabled, manually download and install the latest stable release from the official Chrome website.
  • If immediate update is not possible, remove Chrome from the user’s system or block network traffic to sites that could serve malicious HTML to limit exposure.

Generated by OpenCVE AI on June 5, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Integer Overflow in Chrome’s V8 Engine

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-472
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:21:24.308Z

Reserved: 2026-06-04T17:06:17.212Z

Link: CVE-2026-10964

cve-icon Vulnrichment

Updated: 2026-06-05T00:18:09.523Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:59.503

Modified: 2026-06-05T02:17:01.953

Link: CVE-2026-10964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:15:25Z

Weaknesses