Description
Inappropriate implementation in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: High)
Published: 2026-06-04
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inappropriate handling of codec parameters in Google Chrome allows a remote attacker to craft a malicious video file that can escape the browser sandbox, potentially leading to code execution on the host. The weakness is a failure to validate input data, categorized as CWE‑20 and CWE‑1286. Attackers can embed the malformed file in a web page or deliver it through other remote vectors.

Affected Systems

The flaw affects Google Chrome browsers before version 149.0.7827.53. Users running any older stable channel version are vulnerable. No additional product or version details are provided, so the advisory covers all versions less than 149.0.7827.53 on supported operating systems.

Risk and Exploitability

The CVSS score of 9.6 indicates that exploitation could allow code execution outside the browser sandbox. The EPSS score of <1% shows a low probability of exploitation, and the vulnerability is not listed in CISA KEV. Chromium classifies the issue as high severity. The likely attack vector is a remote attacker delivering a crafted video file to the target, which the browser processes, potentially leading to code execution with the privileges of the user process.

Generated by OpenCVE AI on June 8, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later to apply the fix for the codec sandbox escape.
  • Reboot your system to ensure the updated Chrome binary is loaded into memory.
  • Keep your operating system and other security software up to date to mitigate related unknown vulnerabilities.

Generated by OpenCVE AI on June 8, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in Codecs
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 06 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Codec Parameter Validation Flaw Enables Sandbox Escape in Google Chrome

Sat, 06 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 05 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Codec Parameter Validation Flaw Enables Sandbox Escape in Google Chrome

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-08T18:04:08.435Z

Reserved: 2026-06-04T17:06:17.665Z

Link: CVE-2026-10966

cve-icon Vulnrichment

Updated: 2026-06-06T02:28:17.829Z

cve-icon NVD

Status : Modified

Published: 2026-06-04T23:16:59.723

Modified: 2026-06-08T19:16:35.060

Link: CVE-2026-10966

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10966 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T19:30:06Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input

  • CWE-20

    Improper Input Validation