Description
Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input occurs during drag‑and‑drop operations in Chrome on Android, allowing a remote attacker who has already compromised the renderer process to potentially escape the browser’s sandbox. The flaw is a classic input validation weakness (CWE‑20) combined with improper handling of trust boundaries (CWE‑807). If successfully exploited, malicious code could execute with higher privileges, threatening device integrity and confidentiality.

Affected Systems

Google Chrome for Android devices running any version before 149.0.7827.53 are vulnerable. No other browsers or products are reported to be affected at this time.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the current environment. The vulnerability is not listed in CISA KEV. Exploitation requires an attacker to first gain control of the renderer process, after which a crafted HTML page can trigger the drag‑and‑drop handling bug to escape the sandbox, potentially enabling code execution with elevated privileges on the device.

Generated by OpenCVE AI on June 10, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later on Android devices.
  • If an update is not immediately possible, limit the handling of drag‑and‑drop for untrusted content through enterprise policy or Chrome flags to mitigate the risk.
  • Monitor Chrome renderer processes and Android system logs for signs of compromise and ensure no additional vulnerable applications are present on the device.

Generated by OpenCVE AI on June 10, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 10 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient Drag and Drop Validation Enables Sandbox Escape in Chrome Android chromium-browser: Insufficient validation of untrusted input in Drag and Drop
Weaknesses CWE-807
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Insufficient Drag and Drop Validation Enables Sandbox Escape in Chrome Android

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-10T13:38:43.291Z

Reserved: 2026-06-04T17:06:32.940Z

Link: CVE-2026-11029

cve-icon Vulnrichment

Updated: 2026-06-06T17:22:44.795Z

cve-icon NVD

Status : Modified

Published: 2026-06-04T23:17:06.923

Modified: 2026-06-10T15:16:32.087

Link: CVE-2026-11029

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11029 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:00:17Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-807

    Reliance on Untrusted Inputs in a Security Decision