Description
Insufficient validation of untrusted input in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficiency in validating untrusted input in the Chromoting component of Google Chrome on Linux allows a remote attacker who has already compromised a renderer process to craft a malicious Chrome Extension that can potentially escape the sandbox. The weakness, identified as CWE‑20, could let an attacker gain code execution privileges beyond the browser sandbox, jeopardizing system confidentiality and integrity.

Affected Systems

Google Chrome on Linux systems running any version prior to 149.0.7827.53 is affected. The issue is limited to the desktop (stable channel) releases of Chrome on Linux platforms.

Risk and Exploitability

The CVE was assigned a medium Chromium security severity and no EPSS data is available. It is not listed in the CISA KEV catalog. Exploitation requires prior renderer process compromise and the inclusion of a crafted extension, indicating a medium level of difficulty and limited attack surface. If a renderer is already breached, an attacker could escape the sandbox and execute arbitrary code.

Generated by OpenCVE AI on June 5, 2026 at 02:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Google Chrome version 149.0.7827.53 or later, which contains the definitive fix for the Chromoting input validation flaw.
  • Remove or disable any Chrome Extensions that have not been verified by trusted developers or that request excessive permissions.
  • Configure the Chrome sandbox settings to enforce stricter isolation of renderer processes, ensuring that any renderer compromise does not allow native code execution.

Generated by OpenCVE AI on June 5, 2026 at 02:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Chromoting Input Validation Leads to Sandbox Escape in Chrome for Linux

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:02.973Z

Reserved: 2026-06-04T17:06:52.938Z

Link: CVE-2026-11112

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:16.830

Modified: 2026-06-04T23:17:16.830

Link: CVE-2026-11112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:15:29Z

Weaknesses