What is the CVSS score of CVE-2026-11640?

CVE-2026-11640 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Google Chrome are affected by CVE-2026-11640?

Google Chrome versions before 149.0.7827.103 contain a sandbox escape vulnerability that could allow an attacker with an already-compromised browser renderer process to execute code outside the…. A patch is available.

How to fix or mitigate CVE-2026-11640?

24 hours: Identify all systems running Chrome versions prior to 149.0.7827.103 using endpoint management or vulnerability scanning tools. 7 days: Deploy Chrome 149.0.7827.103 or later organization-wide via patch management systems and enforce automatic updates if not already enabled. 30 days: Verify patch deployment completion and confirm zero systems remain on vulnerable versions through compliance scanning.

Google Chrome CVE-2026-11640

EUVD-2026-35240 HIGH

External Control of Assumed-Immutable Web Parameter (CWE-472)

2026-06-09 chrome-cve-admin@google.com

GHSA-p626-pw8w-29p4

Google Buffer Overflow Red Hat Suse

8.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.3 HIGH

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

9.0 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 14:23 vuln.today

CVSS changed

Jun 09, 2026 - 14:22 NVD

8.3 (HIGH)

CVE Published

Jun 09, 2026 - 00:16 nvd

HIGH 8.3

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Sandbox escape in Google Chrome versions prior to 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an integer overflow in the libyuv image conversion library. Exploitation requires user interaction with a crafted HTML page and a chained renderer compromise, but Google rated the underlying issue Critical because a successful chain yields code execution outside Chrome's sandbox. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Lure user to crafted page

Delivery

Trigger prior renderer RCE

Exploit

Deliver malicious media to libyuv

Install

Overflow integer in size calculation

Corrupt memory across sandbox boundary

Execute

Execute code in privileged Chrome process

Impact

Persist or pivot to host

Recon

Lure user to crafted page

Delivery

Trigger prior renderer RCE

Exploit

Deliver malicious media to libyuv

Install

Overflow integer in size calculation

Corrupt memory across sandbox boundary

Execute

Execute code in privileged Chrome process

Impact

Persist or pivot to host

Vulnerability AssessmentAI

Exploitation	Exploitation requires the attacker to have already compromised Chrome's renderer process - this bug is a sandbox-escape primitive, not a primary RCE - and the target user must visit (UI:R) a crafted HTML page that delivers attacker-controlled inputs to libyuv conversion routines. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 8.3 vector (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) correctly reflects that the bug is reachable over the network, requires high attack complexity, requires user interaction (visiting a page), and crosses a scope boundary (the sandbox) when exploited - all hallmarks of a sandbox-escape primitive that is only useful as the second stage of an exploit chain. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker lures a target to a malicious or compromised website that first triggers a separate renderer-process vulnerability to achieve code execution inside the sandboxed renderer, then serves crafted image or video data that drives libyuv into the integer overflow, corrupting memory at a sandbox boundary and pivoting to code execution in a more privileged Chrome process. Because no public exploit has been identified and attack complexity is rated High, this is most plausible as the second stage of a targeted exploit chain rather than commodity drive-by malware.
Remediation	Vendor-released patch: Google Chrome 149.0.7827.103 - update Chrome to 149.0.7827.103 or later via the stable channel and restart the browser to apply, as described at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html (tracking issue https://issues.chromium.org/issues/517339758). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Chrome versions prior to 149.0.7827.103 using endpoint management or vulnerability scanning tools. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11640 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11640

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code