Skip to main content

Google Chrome CVE-2026-11293

| EUVDEUVD-2026-34754 CRITICAL
Use After Free (CWE-416)
2026-06-05 chrome-cve-admin@google.com GHSA-66jg-ppmj-786h
Critical
Disputed · 9.6 NVD
Share

Severity by source

Sources disagree (Low–Critical)
NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
9.6 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:28 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
9.6 (CRITICAL)
CVE Published
Jun 05, 2026 - 00:17 nvd
CRITICAL 9.6
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to break out of the renderer sandbox via a use-after-free flaw in the Input component when a victim visits a crafted HTML page. The CVSS score of 9.6 reflects the scope change inherent to sandbox escapes, though Chromium rated the underlying severity as Low and EPSS estimates exploitation probability at only 0.03%. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Technical ContextAI

The vulnerability is a CWE-416 Use-After-Free in Chrome's Input subsystem, which handles keyboard, mouse, touch, and pointer event dispatch within Blink and the browser process. Use-after-free bugs in this surface typically arise when an Input object's lifetime is not correctly tied to its referencing handler, allowing memory to be reclaimed and re-allocated for attacker-controlled data before the dangling pointer is dereferenced. Because the CVSS vector includes S:C (scope changed), the bug enables crossing the renderer/browser trust boundary - i.e., a sandbox escape - which is consistent with the 'Input' surface being reachable across processes. Affected builds correspond to all Chrome desktop versions before 149.0.7827.53 (per the EUVD record EUVD-2026-34754).

RemediationAI

Vendor-released patch: Google Chrome 149.0.7827.53 on the Stable channel - upgrade all desktop installs by allowing the auto-updater to apply the build or by forcing an update via chrome://settings/help, then restart the browser to complete activation; verify per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Enterprises managing Chrome via policy should push the new pinned version through their MDM/GPO channel and confirm fleet compliance. For downstream Chromium browsers (Edge, Brave, Opera, Vivaldi) and Electron-based apps, update to the vendor build that incorporates the equivalent Chromium fix. As a temporary compensating control until the update lands, restrict users to trusted sites via SafeSites/URL allowlists or enable Enhanced Safe Browsing - these reduce exposure to malicious HTML payloads but do not eliminate risk from compromised or ad-served content.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-11293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy