Description
Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the codecs component of Google Chrome on Windows allows an attacker who has already compromised a renderer process to execute code outside the sandbox, potentially leading to full system compromise. This vulnerability is classed as high severity and is identified as CWE‑416, a classic use‑after‑free weakness that destroys memory safety guarantees.

Affected Systems

The flaw affects Google Chrome for Windows in builds prior to version 149.0.7827.103. Any Windows installation of Chrome older than that release is potentially susceptible, especially when browsing untrusted content that may exploit the codec path.

Risk and Exploitability

The attack vector is most likely a crafted HTML page served from a malicious or compromised site, which an attacker can host locally or through social engineering. Even though the EPSS score is not available and the vulnerability is not listed in CISA KEV, the CVSS score of 8.3 indicates high severity, and the ability to escape the sandbox makes exploitation a serious risk. Successful exploitation would grant the attacker full control over the victim’s machine, bypassing Chrome’s sandbox restrictions.

Generated by OpenCVE AI on June 9, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.103 or later to remove the use‑after‑free flaw.
  • If updating is not immediately possible, isolate Chrome from untrusted web content by using content‑security policies or blocking access to known malicious domains.
  • Monitor renderer process crashes and anomalous sandbox exits for early detection of exploitation attempts.

Generated by OpenCVE AI on June 9, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Tue, 09 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Codecs Enables Potential Sandbox Escape on Windows

Tue, 09 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 09 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Codecs Enables Potential Sandbox Escape on Windows

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T03:56:08.391Z

Reserved: 2026-06-08T21:33:50.527Z

Link: CVE-2026-11679

cve-icon Vulnrichment

Updated: 2026-06-09T01:32:59.063Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:51.210

Modified: 2026-06-09T14:53:02.277

Link: CVE-2026-11679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T04:00:14Z

Weaknesses