Description
Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted media input in Google Chrome allowed a remote attacker who had already compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. The weakness is an input validation flaw (CWE‑20, CWE‑1289) that enables remote code execution under sandboxed conditions, potentially allowing an attacker to gain significant privileges within the browser context.

Affected Systems

Google Chrome, all versions prior to 149.0.7827.53, which are affected by the media component input validation bug.

Risk and Exploitability

This vulnerability has a CVSS score of 8.8, classifying it as high severity. The EPSS score of 0.00106 indicates a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, indicating no current public exploitation yet. The likely attack vector is a malicious HTML page served to users, and exploitation requires an attacker who can compromise the renderer process, which is typically achieved through social engineering or infected sites. Because the flaw is limited to the sandbox, the overall risk to the host is reduced, but within the browser, arbitrary code execution can lead to significant compromise.

Generated by OpenCVE AI on June 7, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later to apply the security fix.
  • Ensure automatic updates are enabled so the browser receives future patches promptly.
  • Configure content security policies on web pages to restrict script execution and other potentially untrusted media content, mitigating the impact of any remaining input validation weaknesses.

Generated by OpenCVE AI on June 7, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chromium Media Input Validation Leads to Remote Code Execution in Sandbox chromium-browser: Insufficient validation of untrusted input in Media
Weaknesses CWE-1289
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Title Chromium Media Input Validation Leads to Remote Code Execution in Sandbox

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:56:41.683Z

Reserved: 2026-06-04T17:06:37.042Z

Link: CVE-2026-11046

cve-icon Vulnrichment

Updated: 2026-06-05T00:40:35.712Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:09.020

Modified: 2026-06-06T01:37:20.870

Link: CVE-2026-11046

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11046 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses
  • CWE-1289

    Improper Validation of Unsafe Equivalence in Input

  • CWE-20

    Improper Input Validation