Description
Insufficient validation of untrusted input in Device Trust in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Device Trust component of Google Chrome on Windows allows insufficient validation of untrusted input. When a remote attacker first compromises the renderer process, the attacker can provide a specially crafted HTML page that triggers the vulnerability, potentially enabling a sandbox escape. The issue is categorized as low severity by Chromium but could lead to remote code execution once the sandbox boundary is breached.

Affected Systems

Google Chrome on Windows versions prior to 150.0.7871.47 are impacted. All earlier stable channel releases that have not incorporated the fix are vulnerable while the 150.0.7871.47 release and later are considered fixed.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in CISA KEV, indicating no known widespread exploitation. The attack vector requires initial compromise of the renderer process, which may be achieved through phishing or other browser-based attacks. If the attacker succeeds, they could escape the sandbox and execute arbitrary code on the host. The overall risk is moderate, reflecting the low CVSS rating but recognizing the potential for remote code execution if the renderer is compromised.

Generated by OpenCVE AI on July 1, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Chrome update 150.0.7871.47 or later.
  • If an update cannot be applied immediately, disable Device Trust through Chrome flags or command‑line switches.
  • Monitor the browser and system logs for unusual renderer activity or sandbox‑escape attempts.

Generated by OpenCVE AI on July 1, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome Device Trust Leading to Sandbox Escape via Crafted Page

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Device Trust in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:10.920Z

Reserved: 2026-06-29T23:11:33.108Z

Link: CVE-2026-14055

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:15:07Z

Weaknesses
  • CWE-20

    Improper Input Validation