Description
Inappropriate implementation in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Published: 2026-06-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper implementation in Chrome’s Updater on Windows allows a local attacker to elevate privileges by placing a malicious file that the updater processes. The vulnerability enables the attacker to execute code with the current user’s rights and then seize system‑level privileges, effectively granting full control over the affected machine.

Affected Systems

All Windows installations of Google Chrome running any version before 150.0.7871.47 are affected; the issue exists in stable channel releases prior to that patch.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, yet it is classified as High severity by Chromium with a CVSS score of 7.8. The flaw requires local access; any user who can place a file on the system can trigger the privilege escalation. Because the exploitation can occur from an ordinary user context, the risk to users of the vulnerable Chrome versions is significant until the updater is updated or removed.

Generated by OpenCVE AI on July 1, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 150.0.7871.47 or later
  • If an upgrade cannot be applied immediately, disable or remove the Chrome Updater executable to block the vulnerable functionality
  • Monitor the file system for unauthorized or suspicious executable files and enforce strict permissions to prevent the placement of malicious files

Generated by OpenCVE AI on July 1, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 18:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Malicious File in Chrome Updater
Weaknesses CWE-732

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 11:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Malicious File in Chrome Updater
Weaknesses CWE-732

Wed, 01 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T13:52:57.632Z

Reserved: 2026-06-29T23:03:20.856Z

Link: CVE-2026-13800

cve-icon Vulnrichment

Updated: 2026-07-01T13:41:25.047Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T18:00:11Z

Weaknesses