Description
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the untrusted input validation of the ANGLE graphics driver in Google Chrome allows a remote attacker to potentially execute code outside the browser sandbox by serving a maliciously crafted HTML page. This weakness (CWE‑20, CWE‑1286) can compromise the confidentiality, integrity, and availability of the host system. The vulnerability is triggered by an attacker delivering specially crafted content to a vulnerable Chrome user, an inference based on the description, enabling a sandbox escape and possible full‑system compromise.

Affected Systems

Google Chrome browsers built before version 149.0.7827.53 are affected. Users should verify their installed version and update accordingly.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.6, indicating a high severity rating. The EPSS score of <1% suggests a very low but non‑zero likelihood of exploitation, and the CVE is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to create a malicious HTML page and entice a user or a vulnerable web page to load it in the affected browser. This remote attack vector could be delivered via compromised websites or phishing emails, posing a significant threat to systems running an outdated Chrome browser.

Generated by OpenCVE AI on June 7, 2026 at 13:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later
  • If an immediate update is not possible, restrict the browser from loading untrusted content by configuring proxy or firewall rules to block access to known malicious hosts until the update can be applied
  • In managed environments, use Chrome management policies to enforce automatic update checks and installations so that all endpoints receive the patch as soon as it becomes available

Generated by OpenCVE AI on June 7, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in ANGLE
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title ANGLE Input Validation Flaw Enabling Sandbox Escape in Google Chrome

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title ANGLE Input Validation Flaw Enabling Sandbox Escape in Google Chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T20:04:13.228Z

Reserved: 2026-06-04T17:06:19.714Z

Link: CVE-2026-10974

cve-icon Vulnrichment

Updated: 2026-06-05T20:04:03.667Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:00.623

Modified: 2026-06-05T20:23:01.860

Link: CVE-2026-10974

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10974 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T13:45:07Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input

  • CWE-20

    Improper Input Validation