Description
Race in Network in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the network process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in the network process of Google Chrome on macOS when a remote attacker already controls the network process. The flaw allows the attacker to execute arbitrary code beyond the sandbox by delivering a specially crafted HTML page. This can lead to full system compromise. The weakness is identified as CWE‑362 and CWE‑368, both concurrent execution issues. Based on the Chromium severity, it is considered high risk.

Affected Systems

The vulnerability affects Google Chrome for macOS versions prior to 149.0.7827.103. All users running those releases are potentially at risk until they update to the referenced release or later.

Risk and Exploitability

The exploitation path requires that an attacker first gain control of Chrome’s network process, after which the crafted HTML triggers a race that breaks out of the sandbox. Despite an EPSS score of 0.00061 indicating a very low but nonzero exploitation probability, and the issue not being listed in CISA’s KEV catalog, the high Chromium severity and the CVSS score of 8.3 highlight a significant potential impact if exploited, with the nature of a sandbox escape indicating elevated risk. Attackers could leverage this flaw remotely by delivering malicious content over a compromised network channel.

Generated by OpenCVE AI on June 11, 2026 at 02:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to 149.0.7827.103 or newer.
  • Enable automatic updates for Chrome and keep macOS on the latest security patch level.
  • Restrict or remove third‑party extensions that may interact with network content, and use firewall rules or a proxy to block suspicious HTML from untrusted origins.

Generated by OpenCVE AI on June 11, 2026 at 02:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6337-1 chromium security update
History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Race in Network
Weaknesses CWE-368
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Tue, 09 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Title Race Condition in Chrome’s Network Process Enables Sandbox Escape on macOS

Tue, 09 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Race Condition in Chrome’s Network Process Enables Sandbox Escape on macOS

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Race in Network in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the network process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-362
References

Subscriptions

Apple Macos
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-10T03:58:26.151Z

Reserved: 2026-06-08T21:33:49.804Z

Link: CVE-2026-11677

cve-icon Vulnrichment

Updated: 2026-06-09T10:48:31.771Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:50.987

Modified: 2026-06-09T14:52:44.670

Link: CVE-2026-11677

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-11677 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:15:27Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-368

    Context Switching Race Condition