Description
Insufficient policy enforcement in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in Google Chrome's GPU policy enforcement allows a remote attacker who has already compromised the renderer process to potentially escape the sandbox by loading a specially crafted HTML page. The vulnerability can elevate the attacker's privileges from a restricted renderer context to higher levels on the host, enabling execution of arbitrary code, data exfiltration, or persistence. Chromium labels the issue as low severity, yet the ability to bypass sandbox boundaries represents a classic privilege escalation scenario.

Affected Systems

Google Chrome, versions earlier than 150.0.7871.47. Users of the stable channel on any platform that uses Chrome's renderer and GPU components are affected.

Risk and Exploitability

Exploit likelihood is limited by the requirement that the attacker must first gain a foothold in the renderer process, a step that usually necessitates another vulnerability or social engineering. No EPSS score is currently available and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. However, if a renderer compromise occurs, a maliciously crafted web page could trigger the GPU policy flaw and allow a local sandbox escape, resulting in higher level privileges on the host machine.

Generated by OpenCVE AI on July 1, 2026 at 04:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or newer, which addresses the GPU policy enforcement flaw.
  • If updating is delayed, disable hardware acceleration by launching Chrome with the --disable-gpu flag or turning off “Use hardware acceleration when available” in settings, thereby eliminating the GPU surface used by the vulnerability.
  • If you serve untrusted content, isolate it using cross‑origin isolation and content security policies, and monitor for anomalous renderer activity to detect attempts to exploit a compromised renderer process.

Generated by OpenCVE AI on July 1, 2026 at 04:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:04.467Z

Reserved: 2026-06-29T23:11:29.284Z

Link: CVE-2026-14037

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:15:16Z

Weaknesses