Description
Insufficient validation of untrusted input in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Dawn rendering engine of Google Chrome, where untrusted input is not adequately validated. A remote attacker could serve a specially crafted HTML page that may trick the engine into exiting its sandbox, thereby gaining higher privileges on the host. The issue is classified as high severity, reflecting the significant escalation potential should an exploit succeed.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. Users of the stable channel relying on a build before this update remain vulnerable until an update is installed.

Risk and Exploitability

The EPSS score is below 1%, and the flaw is not listed in the CISA KEV catalog, but the CVSS score of 9.6 indicates a high severity risk. Attackers would need to deliver the malicious HTML to the target, typically by directing the victim to a compromised webpage or through social engineering. If successfully exploited, the sandbox escape could enable code execution beyond the browser’s restricted context.

Generated by OpenCVE AI on June 5, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later, as the patch removes the invalid input checks that allow the escape
  • Ensure that Chrome’s automatic update feature is enabled so that future patches are applied automatically
  • Refrain from opening or interacting with untrusted HTML content from unknown sources until the patch is installed

Generated by OpenCVE AI on June 5, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Insufficient Validation in Chrome Dawn Component Enables Potential Sandbox Escape

Fri, 05 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Insufficient Validation in Chrome Dawn Component Enables Potential Sandbox Escape

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T18:06:24.735Z

Reserved: 2026-06-04T17:06:21.905Z

Link: CVE-2026-10983

cve-icon Vulnrichment

Updated: 2026-06-05T18:05:53.891Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:01.640

Modified: 2026-06-05T20:38:29.687

Link: CVE-2026-10983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:00:04Z

Weaknesses