Description
Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Chrome’s Codecs component, where untrusted input is insufficiently validated. A remote attacker who has already compromised the renderer process can deliver a specially crafted HTML page that compels the renderer to execute code outside its sandbox. Based on the description, it is inferred that the attacker could run code with the same privileges as the renderer, effectively escaping its sandbox, though this does not guarantee arbitrary system-wide code execution.

Affected Systems

Google Chrome browsers with a version older than 149.0.7827.53 are affected. The vulnerability was fixed in the stable channel release 149.0.7827.53 and later. No other vendors or products were listed.

Risk and Exploitability

The CVSS score is 9.6, indicating a high‑severity vulnerability. The EPSS score of <1% suggests a low exploitation probability, yet the severity remains significant. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to first compromise the renderer process, which limits the attack surface but still poses a serious risk for compromised content. The likely attack vector is a crafted HTML page delivered over the network, targeting the renderer in a local browser context. In this context, the vulnerability would enable a sandbox escape.

Generated by OpenCVE AI on June 7, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later via the stable channel
  • Ensure auto‑updates are enabled so all users receive the latest security patch
  • As an interim safeguard, restrict or block untrusted HTML content from unverified sites, or use site isolation to segregate potentially malicious renderer processes

Generated by OpenCVE AI on June 7, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in Codecs
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Fri, 05 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Insufficient Validation of Untrusted Input in Chrome Codecs Allows Potential Sandbox Escape

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Insufficient Validation of Untrusted Input in Chrome Codecs Allows Potential Sandbox Escape

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T16:29:32.726Z

Reserved: 2026-06-04T17:06:48.982Z

Link: CVE-2026-11095

cve-icon Vulnrichment

Updated: 2026-06-05T13:12:05.352Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:14.590

Modified: 2026-06-05T20:27:11.703

Link: CVE-2026-11095

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11095 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:15:46Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input

  • CWE-20

    Improper Input Validation