Description
Inappropriate implementation in Safe Browsing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted RAR file. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an inappropriate implementation in Chrome’s Safe Browsing component that allows a remote attacker to bypass discretionary access control when a specially crafted RAR archive is processed. This flaw represents an improper access control (CWE-284) and improper authorization (CWE-551) vulnerability. The CVE description does not explicitly state an attack vector; the likely attack vector is the delivery of a malicious RAR file to Chrome, which is then processed by the browser. This flaw provides a means to circumvent the normal access controls set on RAR files, potentially exposing protected resources within the browser, and is rated as medium severity by Chromium.

Affected Systems

The flaw affects Google Chrome versions prior to 149.0.7827.53. Users running any unstable channel or earlier stable releases are potentially exposed until a patch is applied.

Risk and Exploitability

The EPSS score is < 1% and the issue is not listed in CISA’s KEV catalog. The CVSS score of 6.5 indicates a medium severity vulnerability. The CVE description does not directly mention an attack vector; we infer that a malicious crafted RAR file can be delivered to Chrome, for example via a phishing site or a compromised download. The attacker would exploit the flaw when Chrome processes the archive, enabling the attacker to bypass the intended access restrictions on that file.

Generated by OpenCVE AI on June 7, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Disable Safe Browsing if the latest update cannot be applied (note that this reduces overall protection).
  • Configure download policies or use an AV scanner to block or quarantine RAR files before they are processed by Chrome.

Generated by OpenCVE AI on June 7, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Safe Browsing RAR File Access Control Bypass chromium-browser: Insufficient policy enforcement in Safe Browsing
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Title Chrome Safe Browsing RAR File Access Control Bypass

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Safe Browsing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted RAR file. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T14:33:30.853Z

Reserved: 2026-06-04T17:10:50.951Z

Link: CVE-2026-11210

cve-icon Vulnrichment

Updated: 2026-06-05T14:33:27.305Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:28.327

Modified: 2026-06-06T01:58:21.603

Link: CVE-2026-11210

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11210 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:00:04Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization