Description
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.8 High
EPSS: 1.7% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds read and write flaw in the V8 JavaScript engine that powers Google Chrome. The flaw allows an attacker controlling a crafted HTML page to trigger an out-of-bounds memory access inside the browser's sandbox, which can be escalated to arbitrary code execution. The associated weakness aligns with buffer overrun and arbitrary memory access categories.

Affected Systems

Google Chrome browsers prior to version 149.0.7827.103 on any platform that runs the V8 engine are affected. The flaw was present in the stable channel as of the June 2026 release.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity rating. The EPSS score is <1%, and the vulnerability is listed in the CISA KEV catalog, reflecting known exploitation or significant risk. The likely attack vector is remote – a malicious web page served over the network can contain the crafted payload that triggers the out-of-bounds read/write, escaping the browser sandbox and allowing execution of arbitrary code on the local machine.

Generated by OpenCVE AI on June 18, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the V8 patch in Chrome version 149.0.7827.103 or later to remediate the out-of-bounds vulnerability identified as CWE‑125 and CWE‑787.
  • If an immediate upgrade is not possible, enforce browser policies that restrict or block content from untrusted origins, mitigating the buffer overflow risk associated with CWE‑125 and CWE‑787.
  • Remove or quarantine any earlier Chrome versions from endpoints to prevent exploitation of the out-of-bounds flaw tied to CWE‑125 and CWE‑787.

Generated by OpenCVE AI on June 18, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6337-1 chromium security update
History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Out-of-bounds Read/Write in Chrome's V8 Engine Enables Remote Code Execution chromium-browser: Out of bounds memory access in V8
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 10 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Out-of-bounds Read/Write in Chrome's V8 Engine Enables Remote Code Execution

Tue, 09 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title V8 Out-of-Bounds Read/Write Allows Remote Code Execution

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-09T00:00:00+00:00', 'dueDate': '2026-06-23T00:00:00+00:00'}

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 09 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title V8 Out-of-Bounds Read/Write Allows Remote Code Execution

Tue, 09 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read/Write in V8 Exploitable via Crafted HTML Page
Weaknesses CWE-119
CWE-788

Tue, 09 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-787
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 09 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read/Write in V8 Exploitable via Crafted HTML Page
Weaknesses CWE-119
CWE-788

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-10T03:58:04.682Z

Reserved: 2026-06-08T21:33:37.905Z

Link: CVE-2026-11645

cve-icon Vulnrichment

Updated: 2026-06-09T00:21:23.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:47.370

Modified: 2026-06-09T19:41:08.533

Link: CVE-2026-11645

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-11645 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:00:15Z

Weaknesses