Description
Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in how the Text component of Google Chrome for Android handled untrusted input allowed an attacker who had already compromised the renderer process to supply a crafted HTML page that could potential for the attacker to run code with the same privileges as the renderer process, which may allow arbitrary code execution on the device. The underlying weakness is an input validation flaw (CWE‑20).

Affected Systems

All Android installations of Google Chrome earlier than version 150.0.7871.47 are vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly recorded exploitation as attack requires that an attacker first gain control of the renderer process, which is a remote code execution vector. If successful, the attacker could escape the sandbox and elevate privileges on the victim device. Given the lack of public exploitation data rating, the likelihood of an immediate attack appears moderate, but the potential impact remains significant if the renderer is compromised.

Generated by OpenCVE AI on July 1, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later to apply the vendor fix
  • Remove or block any older Chrome installations that are not patched from being used on the device
  • Use Chrome's enterprise policies or browser settings to restrict the loading of untrusted chance that a compromised renderer can process malicious input

Generated by OpenCVE AI on July 1, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
Title Insufficient Text Input Validation Enables Renderer Sandbox Escape on Chrome Android

Wed, 01 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Insufficient Text Input Validation Enables Renderer Sandbox Escape on Chrome Android

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:29.264Z

Reserved: 2026-06-29T23:11:43.409Z

Link: CVE-2026-14106

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T09:30:05Z

Weaknesses
  • CWE-20

    Improper Input Validation