Description
Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote attacker who has already compromised the renderer process can exploit a lack of policy enforcement in the Serial API within Google Chrome to escape the browser sandbox. The flaw, rooted in improper input validation (CWE‑20), lets an attacker use a crafted HTML page to gain higher privileges, potentially enabling execution of arbitrary code at the operating‑system level. The immediate consequence is a compromise of the client machine and the attacker’s ability to execute code with the privileges of the user running Chrome.

Affected Systems

Google Chrome browsers whose version is older than 150.0.7871.47 are affected. This includes all desktop releases that have not yet applied the 150.0.7871.47 update, regardless of operating system. Users running versions before this build should update to eliminate the vulnerability.

Risk and Exploitability

Chromium labels the issue as medium severity. Because the EPSS score is unavailable, the statistical probability of exploitation is not quantified. The bug is not listed in the CISA KEV catalog. To exploit it, an adversary must first gain control of the renderer process, then serve a malicious HTML page crafted to trigger the Serial API validation flaw. When combined, these conditions can result in sandbox escape and subsequent system compromise. The lack of broader exploitation data suggests the risk is moderate to high for users whose Chrome has not been updated.

Generated by OpenCVE AI on July 1, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Chrome 150.0.7871.47 or later
  • Verify that all extensions do not expose renderer functionality; consider disabling or sandboxing extensions
  • Ensure automatic browser updates are enabled to receive future security patches

Generated by OpenCVE AI on July 1, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title Sandbox Escape via Crafted HTML in Chrome Due to Policy Enforcement Issue

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:14.792Z

Reserved: 2026-06-29T23:03:47.778Z

Link: CVE-2026-13901

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:45:06Z

Weaknesses
  • CWE-20

    Improper Input Validation