Skip to main content

Google Chrome EUVDEUVD-2026-34740

| CVE-2026-11279 HIGH
Out-of-bounds Read (CWE-125)
2026-06-05 chrome-cve-admin@google.com GHSA-fgrx-m48q-597v
High
Disputed · 8.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 03:17 vuln.today
CVSS changed
Jun 05, 2026 - 02:22 NVD
8.8 (HIGH)
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 05, 2026 - 00:17 nvd
HIGH 8.8

DescriptionNVD

Out of bounds read in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.

Technical ContextAI

The vulnerability resides in Chrome DevTools, the browser's built-in developer instrumentation suite that parses untrusted HTML, JavaScript, and protocol messages from inspected pages. CWE-125 (Out-of-bounds Read) indicates a memory boundary violation where DevTools reads past the end of an allocated buffer when processing attacker-controlled input from a crafted HTML page; on Chromium architectures this read primitive has historically been chainable into arbitrary code execution by leaking pointers and corrupting adjacent V8 or Blink heap structures. Affected builds are all Chrome Stable channel releases prior to 149.0.7827.53 across desktop platforms, as reflected in the EUVD advisory.

RemediationAI

Upgrade Google Chrome to version 149.0.7827.53 or later on all desktop platforms - this is the vendor-released patch published in the June 2026 Chrome Stable channel update (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html). In enterprise environments, force a browser restart via group policy to ensure the new binary loads, since Chrome only activates updates after relaunch. As a temporary compensating control for users who cannot update immediately, disable or restrict DevTools access via the DeveloperToolsAvailability enterprise policy (set to DeveloperToolsDisallowed) - this prevents the vulnerable code path from being reachable, with the trade-off that legitimate web developers lose their inspection tooling. Also track Chromium-based browsers (Edge, Brave, Opera) for their corresponding security releases, and monitor https://issues.chromium.org/issues/501878477 for public disclosure details once Google unrestricts it.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-34740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy