Description
Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Use‑After‑Free in the Chrome renderer process that could allow a remote attacker who has already compromised that process to escape the browser sandbox and gain elevated privileges. The flaw is classified as CWE‑416 and was rated with high severity by Chromium security reviewers. Successful exploitation could lead to execution of arbitrary code on the system.

Affected Systems

The issue affects Google Chrome versions prior to 149.0.7827.155 on desktop browsers, as released to the stable channel in June 2026. The specific affected build is the stable channel before the release of 149.0.7827.155. No other products or operating system combinations are explicitly listed as affected.

Risk and Exploitability

The EPSS score is reported as less than 1 %, indicating a low probability of widespread exploitation at present, and the vulnerability is not catalogued in the CISA KEV list. The attack requires a compromised renderer process and the delivery of a crafted HTML page, so the primary vector is a malicious web page held by an attacker with web‑access. The overall risk remains high for environments that allow the vulnerable Chrome version to load untrusted web content.

Generated by OpenCVE AI on June 17, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.155 or later, ensuring the sandbox byte‑code patch is applied.
  • Verify that Chrome’s sandboxing features remain enabled and that no policy disables them.
  • Limit exposure to untrusted websites or enforce a stricter content security policy to reduce the chance of malicious pages being served.

Generated by OpenCVE AI on June 17, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Remote Sandbox Escape via Use‑After‑Free in Chrome Render Process
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-18T03:55:28.880Z

Reserved: 2026-06-16T19:38:32.794Z

Link: CVE-2026-12464

cve-icon Vulnrichment

Updated: 2026-06-17T13:18:15.457Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:00:04Z

Weaknesses