Description
Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves insufficient validation of untrusted input in Chrome Chromoting on Windows prior to version 150.0.7871.47, which may allow a local attacker to escape the browser sandbox by supplying a malicious file. The weakness is reflected in CWE‑20, indicating a failure to properly filter or validate inputs. If exploited, an attacker could gain elevated privileges within the system by breaking out of the restricted browser environment.

Affected Systems

Google Chrome for Windows on all versions before 150.0.7871.47. The issue specifically targets the Chromoting component, which is used for remote desktop and screen sharing features.

Risk and Exploitability

The vulnerability is classified by Chromium as High severity. No EPSS score is publicly available, and it is not listed in CISA KEV. Because it requires local access to a malicious file and the attacker must run the compromised version of Chrome, the threat is limited to local or compromised environments. The attack vector is thus a local attacker with the ability to supply an attacker‑controlled file to the running Chrome instance. In the absence of an exploit, the risk remains theoretical but significant for users who enable Chromoting on untrusted machines.

Generated by OpenCVE AI on July 1, 2026 at 08:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome update (v150.0.7871.47 or later) which contains the input‑validation fix.
  • If Chromoting is not required, disable the feature or restrict its use to trusted files only.
  • Ensure that Windows sandboxing and User Account Control settings remain enabled to provide an additional layer of protection.

Generated by OpenCVE AI on July 1, 2026 at 08:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 08:30:00 +0000

Type Values Removed Values Added
Title Local Sandbox Escape via Untrusted Input in Chrome Chromoting

Wed, 01 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
Title Local Sandbox Escape via Untrusted Input in Chrome Chromoting

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:55.806Z

Reserved: 2026-06-29T23:03:32.984Z

Link: CVE-2026-13849

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T09:00:14Z

Weaknesses
  • CWE-20

    Improper Input Validation