Severity by source
Sources disagree (Low–High)AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing Web Bluetooth policy enforcement. The flaw requires user interaction and a pre-existing renderer compromise, and no public exploit identified at time of analysis. Despite a CVSS of 8.3, EPSS is only 0.03% (10th percentile) and CISA SSVC marks exploitation status as 'none', indicating low real-world exploitation likelihood at present.
Technical ContextAI
Web Bluetooth is a Chromium API that lets web pages communicate with nearby Bluetooth Low Energy devices through the browser, with the renderer process brokering requests through the privileged browser process under a strict permission policy. CWE-602 (Client-Side Enforcement of Server-Side Security) reflects that a security decision normally enforced in a trusted boundary was instead checkable or bypassable from the less-trusted side - here, the renderer was able to influence Web Bluetooth policy decisions that should have been enforced by the browser process. Because Chromium's security model treats the renderer as untrusted, any logic that lets a compromised renderer convince the browser process to grant broader Web Bluetooth access becomes a building block in a sandbox escape chain. The affected component is the desktop Chrome stable channel up through 149.0.7827.52, with the fix landing in 149.0.7827.53 per the Chrome Releases advisory.
RemediationAI
Vendor-released patch: Google Chrome 149.0.7827.53 on the stable desktop channel - update via Chrome's built-in updater or by redeploying managed packages, and force-relaunch browsers so the new binary is loaded (Chrome continues running the old version until restart). Reference the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and the tracker at https://issues.chromium.org/issues/496427030 for downstream coordination. As a compensating control until the update propagates, disable Web Bluetooth via enterprise policy DefaultWebBluetoothGuardSetting=2 (block) or WebBluetoothBlockedForUrls, which removes the affected attack surface at the cost of breaking any internal tooling that depends on Web Bluetooth device pairing; users running Chromium-derivative browsers should track and apply their vendor's corresponding Chromium 149.0.7827.53 rebase.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34697
GHSA-xjq4-w8f6-7xc7