Description
Race in DevTools in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the DevTools module of Google Chrome allows a remote attacker who has already compromised the renderer process to potentially escape the sandbox by serving a specially crafted HTML page. The flaw can give the attacker elevated privileges, enabling execution of arbitrary code on the host system. The vulnerability stems from improper input validation (CWE‑20) and is considered high severity.

Affected Systems

Google Chrome versions prior to 149.0.7827.197 are affected. The issue affects all desktop builds of the stable channel. No other vendors or products are listed.

Risk and Exploitability

The flaw can be exploited once an attacker has gained a foothold in the renderer process, which is often achieved through other exploit chains or social engineering. EPSS data is unavailable, and the vulnerability is not currently listed in CISA KEV. The CVSS score of 8.3 indicates a high severity, but without proof of widespread exploitation the exact likelihood remains uncertain.

Generated by OpenCVE AI on June 24, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.197 or later.
  • If an update is not immediately possible, disable DevTools for untrusted content by setting appropriate browser policies or using extensions that block DevTools access.
  • Implement network segmentation and least privilege to prevent attackers from reaching the renderer process; consider disabling remote debugging and other developer features on production systems.

Generated by OpenCVE AI on June 24, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Race Condition in DevTools Enables Sandbox Escape via Crafted HTML

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Race Condition in DevTools Enables Sandbox Escape via Crafted HTML

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Race in DevTools in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:22:57.086Z

Reserved: 2026-06-23T17:14:09.254Z

Link: CVE-2026-13025

cve-icon Vulnrichment

Updated: 2026-06-24T19:22:48.981Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses
  • CWE-20

    Improper Input Validation