Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Description requires prior renderer compromise (PR:L not PR:N), high-complexity race window (AC:H), user file interaction (UI:R), sandbox-escape scope change (S:C), and full host impact post-escape.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
AnalysisAI
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a race condition in Safe Browsing handling of a malicious file. Chromium rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.
Technical ContextAI
The flaw lives in Chrome's Safe Browsing component on macOS, which inspects downloaded files against Google's reputation service before allowing them to be written to disk. CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization, i.e. a race condition) indicates that two execution paths - likely the Safe Browsing check and the file handoff between the sandboxed renderer and a more privileged browser/utility process - operate on shared state without adequate locking, producing a TOCTOU-style window an attacker can win. The affected CPE cpe:2.3:a:google:chrome covers Chrome desktop builds, and the description scopes impact to the macOS port specifically, where the sandbox is implemented via Seatbelt/sandbox_init and the macOS-specific Safe Browsing file IPC paths.
RemediationAI
Vendor-released patch: Chrome 149.0.7827.115 for the macOS stable channel - upgrade per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html and verify rollout via chrome://settings/help on managed Macs. Because the bug requires a compromised renderer as a precondition, defense-in-depth mitigations while patching include enforcing Chrome auto-update via the EnrolledStable policy, blocking download of high-risk file types using DownloadRestrictions=3 (which sharply reduces user interaction with the malicious file required by UI:R but breaks legitimate download workflows), and disabling Safe Browsing enhanced/standard mode temporarily is NOT advised because it removes the very check involved and weakens broader phishing protection. Endpoint controls such as Gatekeeper, XProtect, and EDR with macOS process-lineage telemetry can detect post-escape child processes spawned by the Chrome helper but will not prevent the race itself.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36342
GHSA-276g-w4m7-hp25