EUVD-2026-35247
GHSA-jrj3-rghx-689r
Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in Printing in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Sandbox escape in Google Chrome on Android prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free in the Printing component. Google rates this High severity, and a vendor patch is available, but no public exploit identified at time of analysis and the vulnerability requires chaining with a separate renderer compromise plus user interaction with a print flow.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have already compromised the Chrome renderer process on Android (per the CVE description's explicit precondition), the target must be running Chrome for Android at a version below 149.0.7827.103, the victim must be coaxed into loading a crafted HTML page and into the user interaction required by CVSS UI:R (consistent with invoking a print action or related Printing UI flow), and attack complexity is High (AC:H) meaning the attacker must win a memory-layout race or otherwise satisfy non-trivial conditions to reliably reclaim the freed Printing object. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 8.3 is driven by Scope:Changed (sandbox escape crosses a security boundary) and full CIA impact, but the vector explicitly marks Attack Complexity High, User Interaction Required, and - critically - assumes the attacker has already compromised the renderer process, which is itself a non-trivial precondition not reflected in PR:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker lures the victim to a malicious HTML page that first exploits a separate, unpatched renderer-process vulnerability to gain code execution inside the sandboxed renderer, then triggers the crafted print flow to drive the Printing IPC into the use-after-free condition, requiring the user to interact with a print dialog or print-related action. Successful exploitation of the freed Printing object corrupts memory in the browser process and yields sandbox escape on Android, granting the attacker the full privileges of the Chrome browser process outside site isolation. … |
| Remediation | Vendor-released patch: update Google Chrome for Android to 149.0.7827.103 or later via the Google Play Store, per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html and the upstream Chromium issue at https://issues.chromium.org/issues/502156940. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit managed and BYOD Android devices to identify Chrome versions prior to 149.0.7827.103. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today