What is the CVSS score of EUVD-2026-35254?

EUVD-2026-35254 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Google Chrome are affected by EUVD-2026-35254?

Google Chrome for Mac versions prior to 149.0.7827.103 contains a critical sandbox escape vulnerability (CVE-2026-11654, CVSS 9.6) in the CameraCapture component that could allow attackers to execute…. A patch is available.

How to fix or mitigate EUVD-2026-35254?

Within 24 hours: Identify all Mac users running Chrome versions prior to 149.0.7827.103 and send urgent patch notification. Within 7 days: Deploy Chrome 149.0.7827.103 or later via MDM across all Mac systems and update deployment policies to enforce this minimum version. Within 30 days: Verify patch compliance across all Mac endpoints and document remediation of any exceptions.

Google Chrome EUVD-2026-35254

| CVE-2026-11654 CRITICAL

Use After Free (CWE-416)

2026-06-09 chrome-cve-admin@google.com

GHSA-56wm-h6f8-c34v

Denial Of Service Use After Free Memory Corruption Google Red Hat Suse

9.6

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.6 CRITICAL

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

9.6 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 11:25 vuln.today

CVSS changed

Jun 09, 2026 - 11:22 NVD

9.6 (CRITICAL)

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 00:16 nvd

CRITICAL 9.6

DescriptionCVE.org

Use after free in CameraCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Sandbox escape in Google Chrome for Mac (versions prior to 149.0.7827.103) stems from a use-after-free condition in the CameraCapture component, enabling a remote attacker to break out of the renderer sandbox via a crafted HTML page. With a CVSS of 9.6 (scope-changed, high impact across CIA) and an upstream fix released by Google, the bug carries high severity but requires user interaction to load the malicious page; no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Lure Mac Chrome user to crafted HTML page

Delivery

Page invokes CameraCapture code path via WebRTC/getUserMedia

Exploit

Trigger use-after-free on freed capture object

Install

Reclaim freed memory with controlled data

Hijack control flow inside renderer

Execute

Escape sandbox into privileged browser process

Impact

Execute arbitrary code on macOS host

Recon

Lure Mac Chrome user to crafted HTML page

Delivery

Page invokes CameraCapture code path via WebRTC/getUserMedia

Exploit

Trigger use-after-free on freed capture object

Install

Reclaim freed memory with controlled data

Hijack control flow inside renderer

Execute

Escape sandbox into privileged browser process

Impact

Execute arbitrary code on macOS host

Vulnerability AssessmentAI

Exploitation	Target must be running Google Chrome on macOS at a version below 149.0.7827.103, and the victim must perform user interaction by loading attacker-controlled HTML in that browser (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are largely aligned toward serious risk: CVSS 9.6 with AV:N/AC:L/PR:N/S:C/C:H/I:H/A:H indicates a low-complexity, network-reachable, unauthenticated attack with cross-component impact, and the affected primitive (sandbox escape) is exactly the class Google rates 'High' internally. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker hosts a malicious HTML page (or injects it via a malvertising chain) that, when visited by a Mac user running an unpatched Chrome, drives the WebRTC/getUserMedia surface in a way that triggers the use-after-free in CameraCapture. By spraying the freed allocation with attacker-controlled data the attacker corrupts a freed object's vtable or callback pointer, gaining code execution that escapes the renderer sandbox (S:C in the CVSS vector) and runs in a more privileged Chrome process context. …
Remediation	Primary fix: upgrade Google Chrome on macOS to 149.0.7827.103 or later (vendor-released patch confirmed by Google via the Chrome Releases Stable Channel post at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html); on managed fleets, force-restart Chrome so the staged update actually loads. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Mac users running Chrome versions prior to 149.0.7827.103 and send urgent patch notification. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

EUVD-2026-35254 vulnerability details – vuln.today

Back

Google Chrome EUVD-2026-35254

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code