Description
Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the codecs component of Google Chrome on Windows allows an attacker who has already compromised a renderer process to execute code outside the sandbox, potentially leading to full system compromise. This vulnerability is classed as CWE‑416 and CWE‑825, indicating a classic use‑after‑free weakness combined with improper use of uninitialized or unsafe memory, both of which destroy memory safety guarantees.

Affected Systems

The flaw affects Google Chrome for Windows in builds prior to version 149.0.7827.103. Any Windows installation of Chrome older than that release is potentially susceptible, especially when browsing untrusted content that may exploit the codec path.

Risk and Exploitability

The attack vector is most likely a crafted HTML page served from a malicious or compromised site, which an attacker can host locally or through social engineering. The EPSS score of 0.00068 indicates a very low probability of exploitation, and the vulnerability is not listed in CISA KEV, but the CVSS score of 8.3 indicates high severity, and the ability to escape the sandbox makes exploitation a serious risk. Successful exploitation would grant the attacker full control over the victim’s machine, bypassing Chrome’s sandbox restrictions.

Generated by OpenCVE AI on June 11, 2026 at 02:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.103 or later to remove the use‑after‑free flaw.
  • If updating is not immediately possible, isolate Chrome from untrusted web content by using content‑security policies or blocking access to known malicious domains.
  • Monitor renderer process crashes and anomalous sandbox exits for early detection of exploitation attempts.

Generated by OpenCVE AI on June 11, 2026 at 02:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6337-1 chromium security update
History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Codecs
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Tue, 09 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Codecs Enables Potential Sandbox Escape on Windows

Tue, 09 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 09 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Codecs Enables Potential Sandbox Escape on Windows

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T03:56:08.391Z

Reserved: 2026-06-08T21:33:50.527Z

Link: CVE-2026-11679

cve-icon Vulnrichment

Updated: 2026-06-09T01:32:59.063Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:51.210

Modified: 2026-06-09T14:53:02.277

Link: CVE-2026-11679

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-11679 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:15:27Z

Weaknesses