Description
Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow occurs within the GPU component of Google Chrome on Android, which can be triggered by a crafted HTML page. The flaw allows an attacker who has already gained control of the renderer process to potentially escape the sandbox, giving them the ability to run code outside the confined environment. This high‑severity issue can lead to the execution of arbitrary code with elevated privileges.

Affected Systems

Google Chrome for Android is affected; versions prior to 149.0.7827.103 are vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.3, indicating a high severity. Exploitation requires the attacker to first compromise the renderer process and then exploit the heap overflow via a crafted page. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Once a sandbox escape is achieved, attackers can perform further malicious actions on the device.

Generated by OpenCVE AI on June 9, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.103 or later on Android
  • If an immediate update is not available, disable GPU acceleration in Chrome settings or launch the browser with the --disable-gpu flag to reduce the attack surface
  • Apply the latest Android system security updates and monitor for any compromises of the renderer process or GPU drivers

Generated by OpenCVE AI on June 9, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Title Chrome Android GPU Heap Buffer Overflow Allows Potential Sandbox Escape via Crafted HTML

Tue, 09 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Chrome Android GPU Heap Buffer Overflow Allows Potential Sandbox Escape via Crafted HTML

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-787
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T10:47:35.089Z

Reserved: 2026-06-08T21:33:48.001Z

Link: CVE-2026-11672

cve-icon Vulnrichment

Updated: 2026-06-09T10:47:32.088Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T00:16:50.443

Modified: 2026-06-09T11:16:48.977

Link: CVE-2026-11672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T13:00:05Z

Weaknesses