Description
Out of bounds read and write in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read and write flaw was identified in the Media component of Google Chrome for macOS. The bug allows a remote attacker who has already compromised the renderer process to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The impact is the execution of code with the privileges of the sandboxed renderer, potentially enabling privilege escalation or further compromise of the user system.

Affected Systems

The vulnerability affects Google Chrome running on macOS versions prior to 149.0.7827.103. Users of any earlier releases of Chrome on Mac are therefore at risk until a patched version is installed.

Risk and Exploitability

Chromium classifies the issue as high severity, reflected by a CVSS score of 7.5. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to deliver a malicious HTML page to the renderer process, which is typically constrained to sandbox permissions; the out‑of‑bounds read/write enables arbitrary code execution within that confined environment, and this delivery method is inferred from the description.

Generated by OpenCVE AI on June 9, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to at least 149.0.7827.103 or a later version that includes the fix.
  • Keep automatic updates enabled so that future security patches are applied automatically.
  • If an upgrade is not immediately possible, consider blocking or restricting untrusted HTML content or using an alternative browser until the flaw is resolved.

Generated by OpenCVE AI on June 9, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Memory Access in Chrome Media Component Enables Sandbox Escape on macOS

Tue, 09 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via OOB Media Bug in Chrome on Mac
Weaknesses CWE-122

Tue, 09 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via OOB Media Bug in Chrome on Mac
First Time appeared Google
Google chrome
Weaknesses CWE-122
CWE-787
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Out of bounds read and write in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T03:55:41.465Z

Reserved: 2026-06-08T21:33:54.618Z

Link: CVE-2026-11690

cve-icon Vulnrichment

Updated: 2026-06-09T00:56:02.211Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:52.453

Modified: 2026-06-09T14:53:28.983

Link: CVE-2026-11690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T04:30:42Z

Weaknesses