Description
Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An object lifecycle flaw in the Metrics component of Google Chrome allows a remote attacker who has already compromised the renderer process to escape the browser sandbox by serving a crafted HTML page. This type of vulnerability maps to CWE-20, indicating that improper input validation or resource handling can lead to privilege escalation. If exploited, the attacker can gain higher privileges within the host system and potentially execute arbitrary code.

Affected Systems

The flaw is present in Google Chrome versions prior to 149.0.7827.155. Any systems running an older stable release of Chrome are susceptible until the security update that ships with 149.0.7827.155 or later is installed.

Risk and Exploitability

The EPSS score is reported as <1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation to date. The attack requires the attacker to compromise the renderer process first, which typically implies a foothold gained through malicious web content or a compromised user session. Once the renderer is compromised, the attacker can deliver crafted HTML that triggers the object lifecycle issue, leading to a sandbox escape. The high severity rating issued by Chromium reflects the potential for remote code execution if the attacker proceeds beyond the initial escape.

Generated by OpenCVE AI on June 17, 2026 at 18:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.155 or later to apply the fix for the Metrics object lifecycle flaw.
  • Ensure that Chrome auto‑updates are enabled so the latest security patches are delivered automatically.
  • If an upgrade cannot be applied immediately, restrict access to untrusted web content—use strict content‑security policies, block suspicious domains, and monitor for abnormal renderer activity.

Generated by OpenCVE AI on June 17, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T13:19:31.070Z

Reserved: 2026-06-16T19:38:33.131Z

Link: CVE-2026-12465

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T09:00:06Z

Weaknesses
  • CWE-20

    Improper Input Validation