Description
Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the media codecs component of Google Chrome on Windows. When a renderer process is compromised, a specially crafted HTML page can trigger access to freed memory, potentially allowing the attacker to escape the sandbox and execute arbitrary code within the user’s operating system.

Affected Systems

Any Windows build of Google Chrome before version 149.0.7827.53, including the desktop channel, is affected.

Risk and Exploitability

EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, which indicates limited known exploitation. Still, because the exploit would enable a sandbox escape, success would give an attacker high privileges and remote code execution. The attack requires the attacker to already compromise the renderer process and deliver a malicious HTML page, so the impact is confined to environments where this control can be achieved. Chromium rated the severity as medium.

Generated by OpenCVE AI on June 5, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Ensure the browser is set to receive automatic updates or apply the latest release manually.
  • Monitor for suspicious renderer activity and restrict untrusted web content or employ site isolation settings to reduce risk.

Generated by OpenCVE AI on June 5, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Codecs Enables Potential Sandbox Escape on Windows

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:53.993Z

Reserved: 2026-06-04T17:06:48.743Z

Link: CVE-2026-11094

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:14.383

Modified: 2026-06-04T23:17:14.383

Link: CVE-2026-11094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:30:29Z

Weaknesses