Description
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in extensions allowed a remote attacker who had already compromised the renderer process to achieve privilege escalation through a crafted HTML page. The flaw, related to improper input validation, enables the attacker to execute code with higher privileges within the renderer, potentially allowing arbitrary file writes or execution of malicious binaries on the host. The impact is high, as the renderer process can be used to modify system files or gain further elevated access.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability exists in the extensions subsystem and requires the attacker to have compromised the renderer process, but no specific product version details beyond the major browser release are available.

Risk and Exploitability

The CVSS score is not stated but the Chromium security team labels the issue as High severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires a prior compromise of the renderer process, suggesting a two-step exploitation chain: first gaining renderer control, then leveraging the unvalidated input to elevate privileges. Given the severity and lack of public exploitation data, the risk remains significant for systems where the renderer process can be subverted.

Generated by OpenCVE AI on June 5, 2026 at 01:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Remove or disable any untrusted or unfamiliar extensions until the browser update is applied.
  • Enable or ensure Chrome’s sandboxing and extension isolation features are active to reduce the impact of any remaining input validation flaws.

Generated by OpenCVE AI on June 5, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Malicious Extension Input in Google Chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:04:15.313Z

Reserved: 2026-06-04T17:06:18.434Z

Link: CVE-2026-10969

cve-icon Vulnrichment

Updated: 2026-06-05T01:04:11.468Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:00.060

Modified: 2026-06-05T02:17:02.437

Link: CVE-2026-10969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:45:28Z

Weaknesses