Description
Insufficient validation of untrusted input in Codecs in Google Chrome on Windows prior to 150.0.7871.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome for Windows versions earlier than 150.0.7871.115 contains an insufficient validation flaw in the codecs module that allows a remote attacker, once they have compromised the renderer process, to potentially escape the sandbox. The vulnerability is a classic input validation weakness (CWE-20) and could allow malicious content to gain higher privileges within the browser or the operating system. The attack requires that the attacker can supply crafted HTML to the renderer, but does not involve memory corruption or arbitrary code execution directly from outside the sandbox.

Affected Systems

All on‑premises Windows installations of Google Chrome running a workflow that includes the codecs module and that have not been updated to 150.0.7871.115 or later. The affected product is Google Chrome for Windows; no specific patched version is listed in the CNA data aside from the mentioned baseline release.

Risk and Exploitability

The vulnerability carries a high severity in Chromium’s scoring but currently has no EPSS data available, suggesting a low frequency of exploitation in the broader landscape. It is not listed in the CISA KEV catalog. However, exploitation would only be possible once a priority 1/2 compromise of the renderer process is achieved, which itself is nontrivial. The attacker would then create a crafted HTML page that triggers the validation flaw, enabling sandbox escape. Organizers typically recommend that all users update Chrome promptly and keep renderer isolation enabled.

Generated by OpenCVE AI on July 9, 2026 at 03:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.115 or later. 
  • Ensure that the Chromium sandbox is enabled for renderer processes – this is the default configuration in every recent stable release. 
  • Limit exposure to untrusted web content by visiting only reputable sites, and consider using extensions or security policies that block suspicious HTML constructs.

Generated by OpenCVE AI on July 9, 2026 at 03:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Codecs Input Validation Failure Causing Sandbox Escape in Chrome Windows

Thu, 09 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Codecs in Google Chrome on Windows prior to 150.0.7871.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-09T10:23:40.710Z

Reserved: 2026-07-08T17:07:42.495Z

Link: CVE-2026-15122

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses
  • CWE-20

    Improper Input Validation