Description
Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input during Drag and Drop in Google Chrome on Android versions prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to perform a sandbox escape. The vulnerability is a classic input validation flaw (CWE‑20) that could allow malicious code to execute with higher privileges than the renderer, potentially compromising device integrity and confidentiality.

Affected Systems

Google Chrome for Android. Versions before 149.0.7827.53 are affected; no other product or version information is available at this time.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The reported Chromium security severity is Medium. Exploitation requires an attacker to first gain control of the renderer process, which may be achieved through other local or remote exploits. Once the renderer is compromised, the crafted HTML page can bypass input validation during drag‑and‑drop to escape the sandbox, enabling potential code execution with elevated privileges on the device.

Generated by OpenCVE AI on June 5, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later on Android devices.
  • If an update is not immediately possible, disable drag‑and‑drop handling for untrusted content through enterprise policy or Chrome flags to mitigate the risk.
  • Monitor Chrome processes and Android system logs for indications of renderer compromise and ensure no other vulnerable applications are present on the device.

Generated by OpenCVE AI on June 5, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Insufficient Drag and Drop Validation Enables Sandbox Escape in Chrome Android

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:26.989Z

Reserved: 2026-06-04T17:06:32.940Z

Link: CVE-2026-11029

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:06.923

Modified: 2026-06-04T23:17:06.923

Link: CVE-2026-11029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:00:11Z

Weaknesses