Description
Inappropriate implementation in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inappropriate handling of codec parameters in Google Chrome allows a remote attacker to craft a malicious video file that can escape the browser sandbox, potentially leading to arbitrary code execution on the host. The weakness is a failure to validate input data, categorized as CWE‑20. Attackers can embed the malformed file in a web page or deliver it through other remote vectors.

Affected Systems

The flaw affects Google Chrome browsers before the release of 149.0.7827.53. Users running any older stable channel version are vulnerable. No additional product or version details are provided, so the advisory covers all versions less than 149.0.7827.53 on supported operating systems.

Risk and Exploitability

Because sandbox escape grants kernel‑level access, the risk is high. No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the severity is marked high by Chromium. The likely attack pathway is a malicious video file served over the network, executed by a user or a background process. Once sandboxed code is altered, the attacker can write files, read protected memory, and take control of the system.

Generated by OpenCVE AI on June 5, 2026 at 01:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later to apply the fix for the codec sandbox escape.
  • If an immediate update is not possible, block or restrict the playback of unfamiliar video files, for example by disabling HTML5 video autoplay or using network restrictions to prevent delivery of crafted media.
  • Continuously monitor Chrome update releases and review security advisories for new mitigations until the vulnerability is fully resolved.

Generated by OpenCVE AI on June 5, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:03:59.270Z

Reserved: 2026-06-04T17:06:17.665Z

Link: CVE-2026-10966

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:59.723

Modified: 2026-06-04T23:16:59.723

Link: CVE-2026-10966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:30:28Z

Weaknesses