Description
Use after free in Media in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the Media component of Google Chrome on Windows allows an attacker who supplies a crafted HTML page to trigger arbitrary code execution inside the browser’s sandbox. The vulnerability maps to CWE‑416 and also involves uncontrolled resource consumption (CWE‑825). If exploited, the attacker could run malicious binaries or scripts with the same privileges as the browser process, confined within the sandbox environment.

Affected Systems

Google Chrome for Windows users running versions older than 149.0.7827.53 are affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity impact, while the EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog. Because exploitation requires only a custom HTML page delivered to the victim, the attack vector is straightforward. Given the high severity score and the low EPSS, the overall risk remains significant.

Generated by OpenCVE AI on June 7, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later to resolve the media use‑after‑free issue.
  • Enable automatic updates so the browser receives future patches promptly.
  • If an immediate upgrade is not possible, isolate the browser from untrusted content or disable rendering of external web pages until the patch is applied.

Generated by OpenCVE AI on June 7, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Media
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Fri, 05 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Media Allows Remote Code Execution on Windows

Fri, 05 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Media Allows Remote Code Execution on Windows

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Media in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:56:34.895Z

Reserved: 2026-06-04T17:06:40.389Z

Link: CVE-2026-11060

cve-icon Vulnrichment

Updated: 2026-06-05T00:24:45.499Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:10.477

Modified: 2026-06-06T01:39:01.990

Link: CVE-2026-11060

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11060 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses