Description
Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow in the V8 JavaScript engine in Google Chrome prior to 149.0.7827.53. It can be triggered by a specially crafted HTML page, allowing a remote attacker to execute arbitrary code within the browser’s sandbox process. The overflow arises from a numerical error when handling certain data structures in V8, identified as CWE-472.

Affected Systems

All installations of Google Chrome running a version earlier than 149.0.7827.53 on any supported desktop platform are affected. The issue is corrected in Chrome 149.0.7827.53 and later releases.

Risk and Exploitability

The advisory rates the vulnerability as High severity, with a CVSS score of 8.8. No EPSS score is provided, and the vulnerability has not been included in the CISA KEV catalog. The likely attack vector is the delivery of a malicious webpage that a user opens in Chrome; this inference is drawn from the description stating that a crafted HTML page can trigger the overflow. Exploitation requires remote delivery of the page; no additional network or local conditions are explicitly mentioned, and the vulnerability is mitigated by applying the patch.

Generated by OpenCVE AI on June 5, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or newer on all affected computers.
  • Ensure that automatic updates are enabled so that future security patches are applied automatically.
  • If an update cannot be applied immediately, restrict the execution of untrusted web content by tightening site permissions or employing a content‑security policy that limits JavaScript execution from unknown sources.

Generated by OpenCVE AI on June 5, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Integer Overflow in V8 Enabling Arbitrary Code Execution via Crafted HTML

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Title Integer Overflow in V8 Enabling Arbitrary Code Execution via Crafted HTML

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-472
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:20:55.308Z

Reserved: 2026-06-04T17:06:22.928Z

Link: CVE-2026-10987

cve-icon Vulnrichment

Updated: 2026-06-05T00:18:05.432Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:17:02.097

Modified: 2026-06-05T15:02:34.977

Link: CVE-2026-10987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:30:34Z

Weaknesses