Description
Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an input validation flaw (CWE‑20) in the Media processing component of Google Chrome on Windows. Untrusted media data embedded in a crafted HTML page can bypass internal checks when the renderer process has already been compromised, allowing the attacker to escape the renderer’s sandbox. If achieved, the attacker could gain code execution with the privileges of the current user, compromising confidentiality, integrity, and availability of the system.

Affected Systems

All installations of Google Chrome on Windows that use a version older than 150.0.7871.47 are susceptible. The flaw resides in the Media subsystem, so any renderer processes that handle media content are impacted.

Risk and Exploitability

The vulnerability is classified as medium severity by Chromium; its CVSS score is not provided in the public data. The exploit requires the attacker to have already gained control of the renderer process, which limits the attack vector to local or compromised renderers. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, indicating no known exploitation at this time. Nonetheless, the potential for sandbox escape makes it a high‑risk concern for systems that encounter untrusted web content.

Generated by OpenCVE AI on July 1, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to at least version 150.0.7871.47 to apply the media input validation fix.
  • Enforce Chrome’s default sandbox policy so that compromised renderer processes cannot access privileged resources.
  • Disable or restrict media playback for untrusted sites using Chrome extensions or enterprise policies.

Generated by OpenCVE AI on July 1, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient Validation Enables Potential Sandbox Escape via Media Handling in Chromium

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:21.832Z

Reserved: 2026-06-29T23:03:52.341Z

Link: CVE-2026-13920

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-20

    Improper Input Validation