Description
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inappropriate implementation in the Chrome Extensions component allows a malicious extension crafted by an attacker with privileged network access to run arbitrary code within the browser’s sandbox. The flaw can enable code that may be used to compromise the system beyond the sandbox, depending on host configuration and additional vulnerabilities. This weakness represents improper permission handling that permits code execution where it should be disallowed. The flaw carries a low severity rating by Chromium security practices, indicating limited immediate impact but potential for escalation if coupled with other weaknesses.

Affected Systems

Google Chrome versions older than 149.0.7827.53 are affected. The issue appears in the stable channel release for desktop prior to that build. No other Chrome products or major components are reported as impacted.

Risk and Exploitability

The CVSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, implying no widespread exploitation has been observed. An attacker would need privileged network access to deliver a malicious extension, making public exploitation unlikely. The impact of any successful exploit remains confined to the sandbox, though it can serve as a pivot toward higher-level compromise if additional host weaknesses exist.

Generated by OpenCVE AI on June 5, 2026 at 00:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later
  • Remove or uninstall any untrusted or malicious extensions
  • Disable installation of extensions from unknown sources through enterprise policies or browser settings

Generated by OpenCVE AI on June 5, 2026 at 00:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via Crafted Chrome Extension in Versions Prior to 149.0.7827.53
Weaknesses CWE-264
CWE-732

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:11.890Z

Reserved: 2026-06-04T17:11:10.531Z

Link: CVE-2026-11269

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:03.887

Modified: 2026-06-05T00:17:03.887

Link: CVE-2026-11269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses