Description
Bad cast in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an improper cast in the Dawn rendering engine, leading to an out‑of‑bounds write (CWE‑125). This flaw allows a remote attacker to craft an HTML page that, when opened in Chrome, grants arbitrary code execution inside the browser's sandbox. The attack can compromise the confidentiality, integrity, or availability of the sandboxed process, and potentially elevate to full system compromise if the sandbox is bypassed.

Affected Systems

This issue affects Google Chrome browsers version 149.0.7827.x and earlier on all supported operating systems, including Windows, macOS, and Linux. The vulnerability does not exist in newer releases of Chrome that include the patch contained in version 149.0.7827.53.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity. No EPSS score is available and the vulnerability is not listed in CISA's KEV catalog, suggesting that it has not yet been widely exploited. An attacker would need to trick a user into opening a malicious HTML page in the vulnerable version of Chrome; thus the attack vector is likely web‑based. Once triggered, arbitrary code executes within the sandboxed renderer process, which could facilitate further exploitation.

Generated by OpenCVE AI on June 5, 2026 at 04:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Ensure automatic updates are enabled so future patches are applied promptly.
  • Restrict access to untrusted HTML content by configuring Chrome’s Safe Browsing or content filtering features until the browser is updated.

Generated by OpenCVE AI on June 5, 2026 at 04:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Title Dawn Out‑of‑Bounds Cast Causing Remote Code Execution in Chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Bad cast in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:41:28.847Z

Reserved: 2026-06-04T17:06:44.671Z

Link: CVE-2026-11077

cve-icon Vulnrichment

Updated: 2026-06-05T00:40:27.286Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:12.410

Modified: 2026-06-05T02:17:06.423

Link: CVE-2026-11077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:30:31Z

Weaknesses