Description
Insufficient validation of untrusted input in Dawn in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Google's Dawn rendering engine on Windows allows insufficient validation of untrusted input. If a remote attacker can compromise the renderer process, a crafted HTML page can exfiltrate cross‑origin data. The weakness is classified as CWE‑20 (Improper Input Validation). Attackers could obtain confidential data from other origins loaded in the same browsing context, potentially leading to privacy breaches. The vulnerability does not grant full code execution but enables sensitive information disclosure.

Affected Systems

Versions of Google Chrome running on Windows before 149.0.7827.53 are affected. The issue exists in the Chrome stable channel and any Windows installation that has not yet received the update.

Risk and Exploitability

The CVSS score is unspecified, but the Chromium security severity is listed as High. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no known active exploitation. However, exploitation requires an attacker who has already compromised the renderer process, which could be achieved through other vulnerabilities or social engineering. Once the renderer is compromised, the attacker can perform the cross‑origin data exfiltration with relative ease.

Generated by OpenCVE AI on June 5, 2026 at 01:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or newer on all Windows systems.
  • Disable or remove untrusted extensions and ensure that Remote Debugging is turned off to reduce the chance of renderer compromise.
  • Apply any organization‑wide Chrome policy settings that enforce strict sandboxing and least privilege for renderer processes.

Generated by OpenCVE AI on June 5, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome Dawn Leads to Cross-Origin Data Leakage

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Dawn in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:00.375Z

Reserved: 2026-06-04T17:06:18.192Z

Link: CVE-2026-10968

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:59.953

Modified: 2026-06-04T23:16:59.953

Link: CVE-2026-10968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:30:28Z

Weaknesses