Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Network-delivered HTML, but AC:H and UI:R because exploitation requires a pre-existing renderer compromise and user navigation; PR:N as no browser auth is needed; S:C and C/I/A:H reflect the sandbox escape into the browser process.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Sandbox escape in Google Chrome on Windows prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page abusing the Views UI framework. Chromium rates the severity High, and no public exploit is identified at time of analysis, but sandbox-escape primitives are routinely chained with renderer RCE bugs into full browser compromise on Windows endpoints.
Technical ContextAI
The flaw lives in Chromium's Views framework, the cross-platform C++ UI toolkit that Chrome uses on Windows for native windows, menus, and dialogs and that runs inside the privileged browser process. CWE-693 (Protection Mechanism Failure) indicates the Views implementation does not correctly enforce a security boundary - specifically, the renderer-to-browser process boundary that the Chromium sandbox is designed to maintain. Because Views code is reachable from renderer-originated IPC, an inappropriate implementation there lets a compromised low-privileged renderer issue UI-related requests that the browser process mishandles, yielding code execution outside the sandbox. CPE data confirms google:chrome is the affected product, and the issue is Windows-specific per the description.
RemediationAI
Vendor-released patch: Google Chrome 149.0.7827.115 (Stable channel) on Windows - upgrade all Windows Chrome installs to 149.0.7827.115 or later via the Chrome Stable channel update referenced at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html, and restart the browser to apply. For managed fleets, push the update via Chrome Browser Enterprise / Google Update / WSUS-equivalent tooling and verify with chrome://settings/help. There is no in-product configuration toggle that disables the Views subsystem, so meaningful workarounds are limited; compensating controls until patched include enforcing site isolation (already default), blocking untrusted external browsing through web proxy categorization or restricting browsing to known-good sites on high-value Windows hosts, and pairing with EDR rules that alert on chrome.exe browser-process spawning unusual child processes - with the trade-off of false positives on legitimate Chrome features such as PDF print and native messaging hosts.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36351
GHSA-w2mw-j4jj-c949