Description
Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-11
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap buffer overflow in the GPU component of Google Chrome on Android. The flaw exists when a renderer process can be compromised, allowing an attacker to craft a malicious HTML page that triggers the overflow and potentially escapes the browser sandbox. If successful, the attacker could run arbitrary code with the permissions of the Chrome renderer, possibly gaining full device control. This is classified by Chromium as critical severity.

Affected Systems

Affected systems are devices running Google Chrome on Android with versions prior to 149.0.7827.115. Chrome for Android before that release is vulnerable. No other platforms or products are listed.

Risk and Exploitability

The CVSS score is not provided, but the statement of critical severity indicates a high risk. The EPSS score is not available, and Chrome is not listed in the CISA KEV catalog, suggesting no confirmed active exploitation yet. However, the attack vector requires an attacker to first compromise the renderer process, which can be done by serving malicious content over a network. Once inside the renderer, the overflow can be triggered through a crafted HTML page. This combination of conditions indicates a highly exploitable vulnerability for skilled adversaries, but the practical risk remains tied to the likelihood of the renderer being compromised.

Generated by OpenCVE AI on June 11, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome version 149.0.7827.115 or later on all Android devices
  • If an immediate update is not possible, disable GPU hardware acceleration in Chrome settings to reduce the attack surface
  • Monitor Chrome update announcements and apply security patches as they become available

Generated by OpenCVE AI on June 11, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in GPU Enables Sandbox Escape in Android Chrome

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-122
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-11T20:48:05.851Z

Reserved: 2026-06-11T18:16:03.159Z

Link: CVE-2026-12010

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T22:16:53.480

Modified: 2026-06-11T22:16:53.480

Link: CVE-2026-12010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:30:05Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow