Description
Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an insecure implementation within Google Chrome’s isolated web application framework. A malicious file can trigger code execution inside a sandboxed environment, providing the attacker with the rights of that sandbox. This enables the attacker to run arbitrary code, potentially accessing or modifying files, data, or services that the sandboxed app is allowed to interact with. The impact is the compromise of confidentiality, integrity, or availability of the affected system, depending on the capabilities granted to the sandbox.

Affected Systems

All users of Google Chrome older than version 149.0.7827.53 are affected, regardless of operating system. The weakness exists in the isolated web apps feature offered by Chrome.

Risk and Exploitability

The CVE was assigned a medium security severity by Chromium. Its CVSS score is 8.8, the EPSS score is <1%, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, leveraging a malicious file that could be delivered through a website or a file download. While no widespread exploitation has been reported, the ability to execute code in an ostensibly sandboxed context presents a significant risk to users who enable or interact with isolated web apps. This weakness is categorized as CWE-434, indicating an uncontrolled file type handling vulnerability.

Generated by OpenCVE AI on June 7, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later.
  • If an upgrade is unavailable, disable or restrict the use of isolated web applications, and enforce strict file type validation to mitigate CWE-434.
  • Verify file origins and avoid opening malicious files or downloads from untrusted sources.

Generated by OpenCVE AI on June 7, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Inappropriate Implementation in Chrome Isolated Web Apps Allows Remote Code Execution via Malicious File chromium-browser: Inappropriate implementation in Isolated Web Apps
Weaknesses CWE-434
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Inappropriate Implementation in Chrome Isolated Web Apps Allows Remote Code Execution via Malicious File

Sat, 06 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Insecure Isolated Web App Implementation in Chrome
Weaknesses CWE-264
CWE-284		 CWE-474
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Insecure Isolated Web App Implementation in Chrome
Weaknesses CWE-264
CWE-284

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T02:52:57.642Z

Reserved: 2026-06-04T17:06:50.630Z

Link: CVE-2026-11102

cve-icon Vulnrichment

Updated: 2026-06-06T02:52:52.594Z

cve-icon NVD

Status : Modified

Published: 2026-06-04T23:17:15.760

Modified: 2026-06-06T04:17:26.287

Link: CVE-2026-11102

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11102 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:15:46Z

Weaknesses