Description
Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of untrusted input on the New Tab Page in Google Chrome. An attacker who can compromise the renderer process could construct a specially crafted HTML page that may bypass the browser sandbox, allowing execution of code with higher privileges than the restricted renderer environment provides. This type of flaw aligns with CWE‑20 Input Validation issues and could lead to arbitrary code execution beyond the browser context.

Affected Systems

Google Chrome versions prior to 150.0.7871.47 are affected. The vulnerability is specific to the desktop stable channel and other channels using the same codebase.

Risk and Exploitability

Chromium rates this issue as low severity, and no EPSS score is available. The vulnerability requires that the attacker first gain control of the renderer process, a scenario that is not trivial and for which no public exploits are currently known. The absence from the CISA KEV catalog and the lack of a public exploit reduce the immediate risk, but its potential to undermine Chrome’s sandbox still warrants attention.

Generated by OpenCVE AI on July 1, 2026 at 02:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later.
  • Enable automatic browser updates to receive future security patches.
  • If an upgrade is delayed, restrict execution of untrusted HTML by disabling New Tab Page extensions or settings that allow arbitrary content. (If available, apply any vendor-recommended temporary mitigation.)

Generated by OpenCVE AI on July 1, 2026 at 02:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Title Untrusted Input on Chrome New Tab Page Enables Sandbox Escape

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:04.825Z

Reserved: 2026-06-29T23:11:29.557Z

Link: CVE-2026-14038

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:15:07Z

Weaknesses
  • CWE-20

    Improper Input Validation