Skip to main content

Google Chrome CVE-2026-12022

| EUVDEUVD-2026-36342 HIGH
Race Condition (CWE-362)
2026-06-11 Chrome GHSA-276g-w4m7-hp25
8.3
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Description requires prior renderer compromise (PR:L not PR:N), high-complexity race window (AC:H), user file interaction (UI:R), sandbox-escape scope change (S:C), and full host impact post-escape.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
CRITICAL
qualitative
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 12, 2026 - 02:25 vuln.today
CVSS changed
Jun 12, 2026 - 02:22 NVD
8.3 (HIGH)
CVSS changed
Jun 12, 2026 - 02:22 NVD
8.3 (HIGH)
CVE Published
Jun 11, 2026 - 20:48 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 11, 2026 - 20:48 cve.org
HIGH 8.3

DescriptionCVE.org

Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

AnalysisAI

Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a race condition in Safe Browsing handling of a malicious file. Chromium rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.

Technical ContextAI

The flaw lives in Chrome's Safe Browsing component on macOS, which inspects downloaded files against Google's reputation service before allowing them to be written to disk. CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization, i.e. a race condition) indicates that two execution paths - likely the Safe Browsing check and the file handoff between the sandboxed renderer and a more privileged browser/utility process - operate on shared state without adequate locking, producing a TOCTOU-style window an attacker can win. The affected CPE cpe:2.3:a:google:chrome covers Chrome desktop builds, and the description scopes impact to the macOS port specifically, where the sandbox is implemented via Seatbelt/sandbox_init and the macOS-specific Safe Browsing file IPC paths.

RemediationAI

Vendor-released patch: Chrome 149.0.7827.115 for the macOS stable channel - upgrade per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html and verify rollout via chrome://settings/help on managed Macs. Because the bug requires a compromised renderer as a precondition, defense-in-depth mitigations while patching include enforcing Chrome auto-update via the EnrolledStable policy, blocking download of high-risk file types using DownloadRestrictions=3 (which sharply reduces user interaction with the malicious file required by UI:R but breaks legitimate download workflows), and disabling Safe Browsing enhanced/standard mode temporarily is NOT advised because it removes the very check involved and weakens broader phishing protection. Endpoint controls such as Gatekeeper, XProtect, and EDR with macOS process-lineage telemetry can detect post-escape child processes spawned by the Chrome helper but will not prevent the race itself.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-12022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy