Skip to main content

Google Chrome CVE-2026-14412

| EUVDEUVD-2026-41167 HIGH
Improper Input Validation (CWE-20)
2026-07-01 Chrome GHSA-gm8p-g47w-pwgf
8.3
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

Remote crafted page (AV:N, UI:R) but requires a pre-compromised renderer, so AC:H; sandbox escape crosses trust boundary (S:C) with total impact (C/I/A:H).

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 02, 2026 - 01:24 vuln.today
CVSS changed
Jul 02, 2026 - 00:22 NVD
8.3 (HIGH)
CVE Published
Jul 01, 2026 - 22:21 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 01, 2026 - 22:21 cve.org
HIGH 8.3

DescriptionCVE.org

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by luring a victim to a crafted HTML page. This is a second-stage bug that chains with a prior renderer-level exploit rather than a standalone entry point; Chromium rates it High severity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise Chrome renderer via prior bug
Delivery
Serve crafted HTML page
Exploit
Feed malformed input to ANGLE
Execution
Trigger input-validation flaw
Persist
Escape browser sandbox
Impact
Execute code in privileged context

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker has ALREADY compromised the Chrome renderer process (a prior, separate renderer exploit is a hard prerequisite), and the victim must load a crafted HTML page (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and point to a real-but-conditional risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first exploits a separate renderer-side bug to gain code execution inside Chrome's sandboxed renderer, then serves a crafted HTML page that drives malformed graphics input through ANGLE to break out of the sandbox and run code in the more privileged browser/GPU context. Given AC:H and the required prior renderer compromise, this is realistically part of a targeted exploit chain rather than a drive-by; no public POC is currently referenced.
Remediation Update Google Chrome to version 150.0.7871.46 or later on the Stable channel (Vendor-released patch: 150.0.7871.46 per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html), then fully restart the browser so the new binary loads. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Chrome deployments and establish your update distribution process. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy