Description
Insufficient policy enforcement in USB in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from inadequate policy enforcement in Chrome’s USB handling. An attacker who has already compromised the renderer process can craft a malicious HTML page that triggers a sandbox escape, potentially leading to execution of arbitrary code with elevated privileges.

Affected Systems

Google Chrome versions prior to 150.0.7871.47 are affected. Users running earlier releases may inadvertently expose their systems to this risk if they access potentially malicious web content that exploits the renderer.

Risk and Exploitability

The vendor has labeled the flaw as medium severity in Chromium’s internal assessment. Without a publicly known exploit or EPSS score, the probability of immediate large‑scale exploitation is low, and the vulnerability is not catalogued in the CISA KEV list. Nevertheless, the attack vector requires remote delivery via a crafted web page and a pre‑existing renderer compromise, making the risk moderate for typical users who browse normal web content. Updating Chrome mitigates the flaw and removes the path to sandbox escape.

Generated by OpenCVE AI on July 1, 2026 at 02:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 150.0.7871.47 or later.
  • Disable or restrict USB device access through Chrome policies or enterprise settings.
  • Ensure Site Isolation and sandboxing features are enabled to reduce the impact of potential renderer compromises.

Generated by OpenCVE AI on July 1, 2026 at 02:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title Chrome USB Handling Vulnerability Enables Sandbox Escape via Crafted Web Content
Weaknesses CWE-284
CWE-770

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in USB in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:33.295Z

Reserved: 2026-06-29T23:03:59.972Z

Link: CVE-2026-13951

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-770

    Allocation of Resources Without Limits or Throttling