Description
Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an input validation flaw in the Chrome Cast feature. An attacker on the same local network segment can serve a specially crafted HTML page that exploits the insufficient validation of untrusted input, allowing the browser to execute code with elevated privileges on the victim’s computer. The weakness is a classic Improper Input Validation (CWE‑20) that removes the boundary between trusted and untrusted data, enabling privilege escalation via a browser session.

Affected Systems

Affected products are Google Chrome browsers running any version earlier than 149.0.7827.53 on desktop platforms. The fix was released with the 149.0.7827.53 update to the stable channel. All users of older Chrome versions should upgrade immediately.

Risk and Exploitability

The CVSS score of 8 categorizes this flaw as high severity, and although Chromium labels it as low severity, it still allows a local network attacker to gain elevated privileges without user interaction after delivering a crafted page. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers who can reach the victim’s machine on the local network can exploit this flaw, so the risk is localized but serious for any exposed network environment.

Generated by OpenCVE AI on June 5, 2026 at 05:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later
  • Disable or block access to the Chrome Cast feature if an update cannot be applied
  • Ensure that only trusted devices are allowed to connect to local network services that serve Chrome pages

Generated by OpenCVE AI on June 5, 2026 at 05:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Untrusted Input in Chrome Cast Feature

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Untrusted Input in Chrome Cast Feature
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:41:31.034Z

Reserved: 2026-06-04T17:11:00.880Z

Link: CVE-2026-11241

cve-icon Vulnrichment

Updated: 2026-06-05T01:41:27.138Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:00.340

Modified: 2026-06-05T15:29:16.977

Link: CVE-2026-11241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses