Severity by source
Sources disagree (Low–High)AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
Out of bounds read in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.
Technical ContextAI
The vulnerability resides in Chrome DevTools, the browser's built-in developer instrumentation suite that parses untrusted HTML, JavaScript, and protocol messages from inspected pages. CWE-125 (Out-of-bounds Read) indicates a memory boundary violation where DevTools reads past the end of an allocated buffer when processing attacker-controlled input from a crafted HTML page; on Chromium architectures this read primitive has historically been chainable into arbitrary code execution by leaking pointers and corrupting adjacent V8 or Blink heap structures. Affected builds are all Chrome Stable channel releases prior to 149.0.7827.53 across desktop platforms, as reflected in the EUVD advisory.
RemediationAI
Upgrade Google Chrome to version 149.0.7827.53 or later on all desktop platforms - this is the vendor-released patch published in the June 2026 Chrome Stable channel update (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html). In enterprise environments, force a browser restart via group policy to ensure the new binary loads, since Chrome only activates updates after relaunch. As a temporary compensating control for users who cannot update immediately, disable or restrict DevTools access via the DeveloperToolsAvailability enterprise policy (set to DeveloperToolsDisallowed) - this prevents the vulnerable code path from being reachable, with the trade-off that legitimate web developers lose their inspection tooling. Also track Chromium-based browsers (Edge, Brave, Opera) for their corresponding security releases, and monitor https://issues.chromium.org/issues/501878477 for public disclosure details once Google unrestricts it.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34740
GHSA-fgrx-m48q-597v