Description
Heap buffer overflow in V8 in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow in the V8 JavaScript engine allows a remote attacker to craft an HTML page that triggers an overflow and any code execution inside Chrome’s sandbox. The vulnerability is a type conversion flaw (CWE‑843) that lets the attacker inject and run arbitrary code, potentially compromising the user process or any services that the sandboxed content communicates with. Chromium labels the issue as Medium severity, but RCE still poses a significant risk for elevated privileges within the browser context.

Affected Systems

Google Chrome, stable channel, any installation prior to version 150.0.7871.47 is affected. The flaw exists in all platforms where V8 is used as the rendering engine, meaning Windows, macOS, Linux, and other Chrome‑based browsers that ship the default engine version are vulnerable until the update is applied.

Risk and Exploitability

The vulnerability is exploitable via a crafted HTML page, meaning a malicious site can trigger it when a user navigates to the page. No EPSS score is available, and the vulnerability is not yet listed in the CISA KEV catalog. The risk level is governed by the Medium severity assigned by Chromium and the remote nature of the attack. An attacker can execute code with the privileges of the sandbox process, which can be a stepping stone to broader system compromise if the sandbox is bypassed or the code can interact with system resources.

Generated by OpenCVE AI on July 1, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or newer.
  • Ensure automatic updates are enabled so that all devices receive the patch as soon as it is released.
  • Configure the browser or enterprise policy to restrict execution of untrusted HTML or disable third‑party content until the vulnerability is addressed.

Generated by OpenCVE AI on July 1, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in V8 Engine Enables Remote Code Execution via Crafted HTML

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in V8 in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-843
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:39.195Z

Reserved: 2026-06-29T23:04:03.940Z

Link: CVE-2026-13967

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')