Description
Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate handling of Views in Google Chrome for Linux versions earlier than 149.0.7827.103 allows a remote attacker who has already gained control over the renderer process to escape the browser sandbox by serving a specially crafted HTML page. The escape would give the attacker the same privileges that the renderer runs with, potentially compromising the entire system. Chromium labels this flaw as high severity.

Affected Systems

All Linux installations of Google Chrome older than version 149.0.7827.103 are affected. The vulnerability resides in the renderer component, which processes content from HTML before rendering.

Risk and Exploitability

The CVSS score is 8.3 and the EPSS score is reported as less than 1%, indicating a very low but non‑zero exploitation probability. The flaw is not listed in CISA’s KEV catalog. Exploitation requires that the attacker first compromise the renderer process; once that initial barrier is bypassed, delivery of crafted HTML enables the sandbox escape. Consequently, while the vulnerability’s impact is severe, the overall exploitation likelihood remains constrained by the prerequisite compromise.

Generated by OpenCVE AI on June 11, 2026 at 02:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.103 or newer on all Linux machines.
  • Implement input validation or sanitization for HTML content handled by the Views component to mitigate the improper input validation (CWE‑20) and data inclusion (CWE‑653) weaknesses.
  • Enforce stricter sandbox isolation for the renderer process using AppArmor or SELinux policies to reduce the risk of future escapes even if input validation fails.

Generated by OpenCVE AI on June 11, 2026 at 02:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6337-1 chromium security update
History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Google Chrome Linux Renderer Sandbox Escape via Malicious HTML chromium-browser: Insufficient validation of untrusted input in Views
Weaknesses CWE-653
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Google Chrome Linux Renderer Sandbox Escape via Malicious HTML

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Tue, 09 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Title Potential Sandbox Escape via Crafted HTML in Chrome on Linux

Tue, 09 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Potential Sandbox Escape via Crafted HTML in Chrome on Linux

Tue, 09 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-10T03:58:27.262Z

Reserved: 2026-06-08T21:33:51.666Z

Link: CVE-2026-11682

cve-icon Vulnrichment

Updated: 2026-06-09T10:50:10.832Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:51.573

Modified: 2026-06-10T15:27:40.460

Link: CVE-2026-11682

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-11682 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:15:27Z

Weaknesses