Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers an integer overflow in the V8 JavaScript engine. The flaw is rated High severity by Chromium and carries a CVSS 8.8 score requiring user interaction (visiting a malicious page). At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though Chrome V8 bugs are historically attractive targets for exploit developers.
Technical ContextAI
V8 is the open-source JavaScript and WebAssembly engine that powers Google Chrome, Chromium derivatives (Edge, Opera, Brave, Vivaldi), and Node.js. The root cause is CWE-472 (External Control of Assumed-Immutable Web Parameter) as classified, though the description points to a classic integer overflow during JavaScript value processing - a class of bug that commonly yields out-of-bounds reads/writes on V8's heap and is a frequent stepping stone to type confusion or arbitrary read/write primitives. Per the description, successful exploitation here is contained within the renderer sandbox, meaning a separate sandbox-escape bug would be required for full host compromise. The fix landed in Chrome Stable 149.0.7827.53 as referenced in the Chromium issue tracker (issues.chromium.org/issues/515431687) and the Chrome Releases blog.
RemediationAI
Vendor-released patch: Google Chrome 149.0.7827.53 (Stable channel) - upgrade all desktop Chrome installations to 149.0.7827.53 or later as announced at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html, and verify with chrome://settings/help. For managed fleets, push the update via Chrome Browser Cloud Management, Google Update, or your endpoint management tool, and force-restart browsers to ensure the renderer picks up the new V8. Downstream Chromium-based browsers (Edge, Brave, Opera, Vivaldi) and Electron/CEF applications should be updated to their next vendor release that incorporates the V8 fix; until then, compensating controls include disabling JavaScript on untrusted origins via enterprise policy (DefaultJavaScriptSetting=2 with per-site allowlists) which breaks most modern web apps, enforcing Site Isolation (already default but verify with --site-per-process), and restricting browsing on high-value endpoints to a curated allowlist. No standalone workaround in the V8 code path is documented in the references, so patching is the only complete fix.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Vendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34436
GHSA-74wg-r88r-3rgq