What is the CVSS score of CVE-2026-11659?

CVE-2026-11659 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Google Chrome are affected by CVE-2026-11659?

Google Chrome on Linux contains a critical sandbox escape vulnerability (CVE-2026-11659, CVSS 9.6) enabling remote code execution when users visit malicious web pages, affecting all Linux-based…. A patch is available.

How to fix or mitigate CVE-2026-11659?

24 hours: Notify stakeholders and begin testing Google Chrome 149.0.7827.103 on representative Linux systems. 7 days: Initiate enterprise-wide deployment of Chrome 149.0.7827.103 to all Linux systems with Chrome installed. 30 days: Verify 95%+ deployment coverage and document remediation completion.

Google Chrome CVE-2026-11659

EUVD-2026-35259 CRITICAL

Improper Input Validation (CWE-20)

2026-06-09 chrome-cve-admin@google.com

GHSA-m2rp-hqmh-cm5f

Google Buffer Overflow Red Hat Suse

9.6

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.6 CRITICAL

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

9.6 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 11:26 vuln.today

CVSS changed

Jun 09, 2026 - 11:22 NVD

9.6 (CRITICAL)

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 00:16 nvd

CRITICAL 9.6

DescriptionCVE.org

Integer overflow in UI in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Sandbox escape in Google Chrome on Linux prior to 149.0.7827.103 can be triggered by an integer overflow in the browser's UI component when a victim visits a crafted HTML page. Rated CVSS 9.6 with scope change, this issue allows a remote attacker to break out of the Chrome renderer sandbox after one click or navigation, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Attacker hosts crafted HTML page

Delivery

Victim on unpatched Linux Chrome loads page

Exploit

Integer overflow triggered in UI component

Install

Memory corruption in browser process

Sandbox boundary bypassed

Execute

Code execution outside renderer confinement

Impact

Pivot to credential theft or local escalation

Recon

Attacker hosts crafted HTML page

Delivery

Victim on unpatched Linux Chrome loads page

Exploit

Integer overflow triggered in UI component

Install

Memory corruption in browser process

Sandbox boundary bypassed

Execute

Code execution outside renderer confinement

Impact

Pivot to credential theft or local escalation

Vulnerability AssessmentAI

Exploitation	Victim must be running Google Chrome on Linux at a version below 149.0.7827.103 and must load attacker-controlled HTML content (UI:R in the CVSS vector - a click, navigation, opened tab, or iframe render is sufficient; no credentials or prior authentication are needed, PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H produces a 9.6 score driven primarily by the scope change (S:C) - the integer overflow in a UI-tier component crosses the sandbox boundary, which is exactly the property that elevates this above a typical renderer bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker hosts a malicious HTML page (or compromises an ad network / third-party script on a legitimate site) containing the crafted input that triggers the integer overflow in Chrome's Linux UI code. A Linux user running an unpatched Chrome navigates to the page - the required user interaction is simply loading the URL - and the overflow corrupts state in the browser process, breaking out of the renderer sandbox and allowing the attacker to execute code with browser-process privileges, from which credential theft, persistence, or pivoting to local privilege escalation chains becomes feasible. …
Remediation	Upgrade to Google Chrome 149.0.7827.103 or later on Linux as the primary fix, per the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html; this is a vendor-released patch with an exact fix version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Notify stakeholders and begin testing Google Chrome 149.0.7827.103 on representative Linux systems. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11659 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11659

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code