Description
Out of bounds write in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is an out‑of‑bounds write in the V8 JavaScript engine that lets a remote attacker, after compromising the renderer process, execute arbitrary code inside Chrome’s sandbox. The vulnerability does not allow direct escape from the sandbox, but code execution within it can lead to privilege escalation or further compromise of the host system. The weakness is a classic memory corruption issue (CWE‑787).

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. The public release of this fixed version appears in the June 2026 stable channel update. Enterprises running earlier builds must patch before the update is rolled out.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, with the exploitation requiring only a crafted HTML page and successful compromise of the renderer process. The EPSS score is not available, and the vulnerability is not yet listed in CISA’s KEV catalog. Attackers with access to a vulnerable browser instance can trigger the exploit remotely. Given the high CVSS and the accessibility of an exploit via a crafted web page, the risk is moderate to high for organizations that grant web access to untrusted content.

Generated by OpenCVE AI on June 5, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later ;
  • In managed deployments enforce the update rollout so all customer devices run the patched version;
  • As a temporary measure, limit exposure to untrusted content by using a content security policy or a script‑blocking extension to reduce the likelihood that a malicious HTML page can trigger the exploit.

Generated by OpenCVE AI on June 5, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Out of Bounds Write in V8 Enables In‑Sandbox Code Execution via Renderer Process chromium-browser: Out of bounds write in V8
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Out of Bounds Write in V8 Enables In‑Sandbox Code Execution via Renderer Process

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Out of bounds write in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-787
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:56:15.613Z

Reserved: 2026-06-04T17:10:37.692Z

Link: CVE-2026-11173

cve-icon Vulnrichment

Updated: 2026-06-05T00:40:18.107Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:24.113

Modified: 2026-06-05T20:45:18.203

Link: CVE-2026-11173

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11173 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:00:12Z

Weaknesses