Skip to main content

Google Chrome CVE-2026-15122

| EUVDEUVD-2026-42451 HIGH
Improper Input Validation (CWE-20)
2026-07-08 chrome-cve-admin@google.com GHSA-mgx7-w737-hvvj
8.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

Network-delivered crafted page (AV:N/UI:R) but requires a prior renderer compromise making it high-complexity (AC:H); the sandbox-boundary crossing is S:C with full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 11:47 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
8.3 (HIGH)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 08, 2026 - 23:16 cve.org
HIGH 8.3

DescriptionCVE.org

Insufficient validation of untrusted input in Codecs in Google Chrome on Windows prior to 150.0.7871.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Sandbox escape in Google Chrome on Windows prior to 150.0.7871.115 allows an attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page, chaining a codec input-validation flaw into higher-privileged host-process compromise. The bug is rated High by Chromium and carries a CVSS 8.3 with a scope-changing vector reflecting the sandbox-boundary crossing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Delivery
Compromise sandboxed renderer process
Exploit
Feed malformed media to codec parser
Execution
Escape sandbox to privileged process
Impact
Execute code on host

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker has ALREADY compromised Chrome's renderer process (a prior, separate renderer RCE) and can deliver crafted media/HTML through the Codecs subsystem - this is a chained sandbox-escape stage, not a standalone bug. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H = 8.3) signals network reachability with high attack complexity and required user interaction, yielding high confidentiality, integrity and availability impact across a changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A victim on an unpatched Chrome for Windows visits an attacker-controlled web page that first exploits a separate renderer vulnerability to gain code execution inside the sandboxed renderer, then feeds crafted media to the codec path to escape the sandbox and run code in a higher-privileged Chrome process. No public POC is referenced, and the high attack complexity plus required user interaction and prerequisite renderer compromise make this a targeted, multi-stage attack rather than a trivial drive-by.
Remediation Vendor-released patch: Chrome 150.0.7871.115 for Windows - upgrade to this build or later via Chrome's built-in updater (chrome://settings/help) and relaunch to apply, which is the primary and complete fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Windows systems running Chrome versions prior to 150.0.7871.115 and communicate mandatory patch requirement to users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy