What is the CVSS score of CVE-2026-12030?

CVE-2026-12030 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Google Chrome are affected by CVE-2026-12030?

Google Chrome on Android prior to version 149.0.7827.115 contains a sandbox escape vulnerability (CVSS 8.3) that allows attackers to escalate from an already-compromised renderer process to achieve…. A patch is available.

How to fix or mitigate CVE-2026-12030?

Within 24 hours: Deploy Chrome version 149.0.7827.115 or later to all managed Android devices as mandatory security update. Within 7 days: Verify deployment compliance targeting 95%+ adoption and audit renderer process attack surface in your environment. Within 30 days: Conduct threat hunting for indicators of renderer compromise in logs and implement endpoint detection signatures for sandbox escape exploitation attempts.

Google Chrome CVE-2026-12030

EUVD-2026-36350 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-06-11 Chrome

GHSA-jxq2-jp82-9mj4

Heap Overflow Google Buffer Overflow

8.3

CVSS 3.1 · Vendor: Chrome

Severity by source

Vendor (Chrome) PRIMARY

8.3 HIGH

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

vuln.today AI

8.3 HIGH

Network-delivered via HTML (AV:N), high complexity due to required renderer-compromise chain (AC:H), no auth (PR:N), user must visit page (UI:R), sandbox escape changes scope (S:C), full GPU-process impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 12, 2026 - 02:26 vuln.today

CVSS changed

Jun 12, 2026 - 02:22 NVD

8.3 (HIGH)

CVE Published

Jun 11, 2026 - 20:48 cve.org

HIGH 8.3

CVE Published

Jun 11, 2026 - 20:48 cve.org

UNKNOWN (no severity yet)

DescriptionCVE.org

Out of bounds write in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox through a heap-based out-of-bounds write in the GPU process triggered by a crafted HTML page. Chromium rates the severity High and a vendor patch is available, but no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Lure Android user to crafted page

Delivery

Exploit separate renderer RCE

Exploit

Send malicious GPU IPC from renderer

Execution

Trigger heap OOB write in GPU process

Persist

Escape Chrome sandbox

Impact

Execute code with GPU process privileges

Access

Lure Android user to crafted page

Delivery

Exploit separate renderer RCE

Exploit

Send malicious GPU IPC from renderer

Execution

Trigger heap OOB write in GPU process

Persist

Escape Chrome sandbox

Impact

Execute code with GPU process privileges

Vulnerability AssessmentAI

Exploitation	Exploitation requires three concrete preconditions stated in the CVE: (1) the target is Google Chrome on Android at a version below 149.0.7827.115 - desktop Chrome and non-Android platforms are not in scope; (2) the attacker must have already compromised the renderer process, meaning this bug is not directly exploitable from a normal web page and must be chained with a separate renderer RCE; and (3) the victim must load attacker-controlled crafted HTML (UI:R), enabling the compromised renderer to deliver the malformed GPU IPC sequence that triggers the heap out-of-bounds write. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is moderate-to-elevated but conditional. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A targeted attacker lures an Android user to a malicious site that first exploits a separate renderer vulnerability to gain code execution inside the sandboxed renderer, then issues crafted GPU IPC messages from the crafted HTML page to trigger the heap out-of-bounds write in the GPU process and escape the sandbox. No public PoC is identified at time of analysis, and the AC:H, UI:R, and chained-renderer prerequisites make this realistic primarily for sophisticated full-chain operators rather than commodity attackers.
Remediation	Vendor-released patch: Chrome for Android 149.0.7827.115 - upgrade Chrome on all Android devices to this version or later via Google Play, as documented in the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Deploy Chrome version 149.0.7827.115 or later to all managed Android devices as mandatory security update. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-12030 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-12030

Severity by source

CVSS VectorVendor: Chrome

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code