Description
Inappropriate implementation in Link Preview in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the Link Preview feature of Google Chrome before version 149.0.7827.53 allowed a remote attacker, having already compromised a renderer process, to bypass navigation restrictions by serving a malicious HTML page. The attacker can force the renderer to navigate to URLs that are normally blocked, potentially exposing the user to malicious content or enabling further exploitation. The weakness is an improper validation of navigation requests made by the link preview logic, which can be classified under improper access control.

Affected Systems

All users of Google Chrome who have not updated beyond the 149.0.7827.53 release are affected. Only the Chrome browser is impacted; no other Google products or third‑party applications are listed.

Risk and Exploitability

Chromium rates this vulnerability as medium severity. The EPSS score is unavailable and it is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Exploitation requires the attacker to first compromise the renderer process, after which the crafted HTML can be delivered via any website the user visits. While the remaining barrier of renderer compromise lowers the probability of opportunistic attacks, targeted campaigns could leverage this weakness to bypass security controls.

Generated by OpenCVE AI on June 5, 2026 at 02:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Disable the Link Preview feature by navigating to chrome://flags and setting the corresponding flag to Disabled.
  • Ensure that Chrome’s sandboxing features are enabled and that renderer processes are isolated, reducing the risk of compromise.

Generated by OpenCVE AI on June 5, 2026 at 02:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Link Preview Navigation Restriction Bypass in Chrome
Weaknesses CWE-1184
CWE-284

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Link Preview in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:21.857Z

Reserved: 2026-06-04T17:06:30.215Z

Link: CVE-2026-11017

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:05.640

Modified: 2026-06-04T23:17:05.640

Link: CVE-2026-11017

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:15:20Z

Weaknesses