Skip to main content

Google Chrome CVE-2026-14411

| EUVDEUVD-2026-41166 CRITICAL
Improper Input Validation (CWE-20)
2026-07-01 Chrome GHSA-8jr8-cv4x-4jmv
9.6
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Remote crafted page needs no privileges but requires the victim to load it (UI:R); a sandbox escape crosses the security authority boundary (S:C) with high CIA impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
CRITICAL
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 02, 2026 - 01:25 vuln.today
CVSS changed
Jul 02, 2026 - 00:22 NVD
9.6 (CRITICAL)
CVE Published
Jul 01, 2026 - 22:21 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 01, 2026 - 22:21 cve.org
CRITICAL 9.6

DescriptionCVE.org

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Sandbox escape in Google Chrome's ANGLE graphics component before 150.0.7871.46 lets a remote attacker break out of the renderer sandbox when a victim loads a malicious web page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a CVSS 9.6 due to scope change and full CIA impact, though exploitation requires the user to visit attacker-controlled content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to malicious site
Delivery
Deliver crafted HTML with hostile WebGL
Exploit
Feed unvalidated input to ANGLE
Execution
Escape renderer sandbox
Impact
Execute code in GPU/browser process

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to load an attacker-crafted HTML page that drives malicious graphics input through ANGLE (the WebGL/GPU path) - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page containing malicious WebGL/graphics content and lures a target to visit it via phishing, a malvertising placement, or a compromised site. When the page renders, the crafted input triggers the ANGLE input-validation flaw and the attacker potentially escapes the renderer sandbox, gaining code execution at GPU/browser-process privilege. …
Remediation Vendor-released patch: update Google Chrome to 150.0.7871.46 or later via the Stable channel, and on managed fleets force the browser to relaunch so the update actually applies, since Chrome only completes the update after a restart. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Chrome installations and versions across the organization, identifying systems running versions below 150.0.7871.46; establish testing and deployment timeline. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy