Description
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds read and write flaw in the V8 JavaScript engine that powers Google Chrome. The flaw allows an attacker controlling a crafted HTML page to trigger an out-of-bounds memory access inside the browser's sandbox, which can be escalated to arbitrary code execution. The associated weakness aligns with buffer overrun and arbitrary memory access categories.

Affected Systems

Google Chrome browsers prior to version 149.0.7827.103 on any platform that runs the V8 engine are affected. The flaw was present in the stable channel as of the June 2026 release.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity rating. The EPSS score is < 1%, and the vulnerability is listed in the CISA KEV catalog, reflecting known exploitation or significant risk. The likely attack vector is remote – a malicious web page served over the network can contain the crafted payload that triggers the out-of-bounds read/write, escaping the browser sandbox and allowing execution of arbitrary code on the local machine.

Generated by OpenCVE AI on June 9, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome version 149.0.7827.103 or later to apply the V8 patch that eliminates the out-of-bounds memory flaw.
  • If immediate upgrade is not possible, enforce browser policies that block or restrict content from untrusted origins until the patch is applied.
  • Remove or quarantine any earlier Chrome versions from endpoints to ensure they cannot be used.

Generated by OpenCVE AI on June 9, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-09T00:00:00+00:00', 'dueDate': '2026-06-23T00:00:00+00:00'}

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 09 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title V8 Out-of-Bounds Read/Write Allows Remote Code Execution

Tue, 09 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read/Write in V8 Exploitable via Crafted HTML Page
Weaknesses CWE-119
CWE-788

Tue, 09 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-787
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 09 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read/Write in V8 Exploitable via Crafted HTML Page
Weaknesses CWE-119
CWE-788

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T17:49:11.253Z

Reserved: 2026-06-08T21:33:37.905Z

Link: CVE-2026-11645

cve-icon Vulnrichment

Updated: 2026-06-09T00:21:23.579Z

cve-icon NVD

Status : Modified

Published: 2026-06-09T00:16:47.370

Modified: 2026-06-09T18:16:34.133

Link: CVE-2026-11645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T05:45:26Z

Weaknesses