Description
Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow in the V8 JavaScript engine in Google Chrome prior to 149.0.7827.53. It can be triggered by a specially crafted HTML page, allowing a remote attacker to execute arbitrary code within the browser’s sandbox process. The overflow arises from a numerical error when handling certain data structures in V8, identified as CWE-472, and also involves an integer overflow classified as CWE-190.

Affected Systems

All installations of Google Chrome running a version earlier than 149.0.7827.53 on any supported desktop platform are affected. The issue is corrected in Chrome 149.0.7827.53 and later releases.

Risk and Exploitability

The advisory rates the vulnerability as High severity, with a CVSS score of 8.8. The EPSS score is < 1%, indicating a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the delivery of a malicious webpage that a user opens in Chrome; this inference is drawn from the description stating that a crafted HTML page can trigger the overflow. Exploitation requires remote delivery of the page; no additional network or local conditions are explicitly mentioned, and the vulnerability is mitigated by applying the patch.

Generated by OpenCVE AI on June 7, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or newer on all affected computers.
  • Ensure that automatic updates are enabled so that future security patches are applied automatically.
  • If an update cannot be applied immediately, restrict the execution of untrusted web content by tightening site permissions or employing a content‑security policy that limits JavaScript execution from unknown sources.

Generated by OpenCVE AI on June 7, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Integer overflow in V8
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Integer Overflow in V8 Enabling Arbitrary Code Execution via Crafted HTML

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Title Integer Overflow in V8 Enabling Arbitrary Code Execution via Crafted HTML

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-472
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:56:47.534Z

Reserved: 2026-06-04T17:06:22.928Z

Link: CVE-2026-10987

cve-icon Vulnrichment

Updated: 2026-06-05T00:18:05.432Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:02.097

Modified: 2026-06-06T01:48:47.090

Link: CVE-2026-10987

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10987 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:30:04Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound

  • CWE-472

    External Control of Assumed-Immutable Web Parameter