Skip to main content

Google Chrome EUVDEUVD-2026-34697

| CVE-2026-11236 HIGH
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-06-04 chrome-cve-admin@google.com GHSA-xjq4-w8f6-7xc7
High
Disputed · 8.3 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.2 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 14:23 vuln.today
CVSS changed
Jun 05, 2026 - 14:22 NVD
8.3 (None) 8.3 (HIGH)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
HIGH 8.3

DescriptionCVE.org

Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing Web Bluetooth policy enforcement. The flaw requires user interaction and a pre-existing renderer compromise, and no public exploit identified at time of analysis. Despite a CVSS of 8.3, EPSS is only 0.03% (10th percentile) and CISA SSVC marks exploitation status as 'none', indicating low real-world exploitation likelihood at present.

Technical ContextAI

Web Bluetooth is a Chromium API that lets web pages communicate with nearby Bluetooth Low Energy devices through the browser, with the renderer process brokering requests through the privileged browser process under a strict permission policy. CWE-602 (Client-Side Enforcement of Server-Side Security) reflects that a security decision normally enforced in a trusted boundary was instead checkable or bypassable from the less-trusted side - here, the renderer was able to influence Web Bluetooth policy decisions that should have been enforced by the browser process. Because Chromium's security model treats the renderer as untrusted, any logic that lets a compromised renderer convince the browser process to grant broader Web Bluetooth access becomes a building block in a sandbox escape chain. The affected component is the desktop Chrome stable channel up through 149.0.7827.52, with the fix landing in 149.0.7827.53 per the Chrome Releases advisory.

RemediationAI

Vendor-released patch: Google Chrome 149.0.7827.53 on the stable desktop channel - update via Chrome's built-in updater or by redeploying managed packages, and force-relaunch browsers so the new binary is loaded (Chrome continues running the old version until restart). Reference the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and the tracker at https://issues.chromium.org/issues/496427030 for downstream coordination. As a compensating control until the update propagates, disable Web Bluetooth via enterprise policy DefaultWebBluetoothGuardSetting=2 (block) or WebBluetoothBlockedForUrls, which removes the affected attack surface at the cost of breaking any internal tooling that depends on Web Bluetooth device pairing; users running Chromium-derivative browsers should track and apply their vendor's corresponding Chromium 149.0.7827.53 rebase.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-34697 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy