Description
Inappropriate implementation in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Dawn rendering engine in Google Chrome contains an implementation flaw that permits a remote attacker to trigger out-of-bounds memory access by serving a specially crafted HTML page. This flaw can lead to memory corruption, which may be exploitable for arbitrary code execution or a denial of service, depending on the execution context. The Chromium security team has rated the issue as Medium severity, indicating that while exploitation is possible, it is not guaranteed to achieve high-impact results without additional conditions.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. No other Chrome versions are known to be impacted. The vulnerability resides specifically in the Dawn component of the browser.

Risk and Exploitability

The vulnerability can be leveraged from the internet by delivering the malicious HTML page to a user’s browser. The attack vector is remote and requires the victim to open or load the crafted page. No input from the CVE indicates that the flaw requires privileged access or local compromise. The CVSS score of 8.8 indicates a high severity, and the EPSS score is < 1%, suggesting a comparatively lower likelihood of widespread exploitation at present. The flaw is not listed in CISA's KEV, indicating it has not been identified as a known exploited vulnerability. The Chromium security severity of Medium reflects a moderate risk profile, with the potential to lead to memory corruption but with uncertain exploitation success.

Generated by OpenCVE AI on June 5, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later, as recommended in the Chrome stable channel release notes.
  • If an upgrade cannot be performed immediately, enforce strict content security policies or use a sandboxed browsing environment to isolate untrusted web content.
  • Ensure automatic updates are enabled or regularly check for updates to keep Chrome current with security fixes.

Generated by OpenCVE AI on June 5, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Memory Access in Chrome Dawn Rendering Engine chromium-browser: Inappropriate implementation in Dawn
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Memory Access in Chrome Dawn Rendering Engine

Fri, 05 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Memory Access in Chrome's Dawn Rendering Engine
Weaknesses CWE-119

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-787
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Memory Access in Chrome's Dawn Rendering Engine
Weaknesses CWE-119

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T16:30:15.820Z

Reserved: 2026-06-04T17:06:48.008Z

Link: CVE-2026-11091

cve-icon Vulnrichment

Updated: 2026-06-05T14:00:38.898Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:14.040

Modified: 2026-06-08T14:34:26.553

Link: CVE-2026-11091

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11091 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:00:05Z

Weaknesses