Skip to main content

Google Chrome EUVDEUVD-2026-36330

| CVE-2026-12009 HIGH
Improper Input Validation (CWE-20)
2026-06-11 Chrome GHSA-4h4g-832r-8c7f
8.3
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

Network-delivered via HTML but AC:H and UI:R because attacker must first land a renderer RCE and the user must load the page; S:C and C/I/A:H reflect full sandbox escape.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
CRITICAL
qualitative
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 12, 2026 - 02:22 vuln.today
CVSS changed
Jun 12, 2026 - 02:22 NVD
8.3 (HIGH)
CVSS changed
Jun 12, 2026 - 02:22 NVD
8.3 (HIGH)
CVE Published
Jun 11, 2026 - 20:48 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 11, 2026 - 20:48 cve.org
HIGH 8.3

DescriptionCVE.org

Insufficient validation of untrusted input in Accessibility in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that exercises the Accessibility subsystem. Chromium rates the issue Critical severity; no public exploit identified at time of analysis, and the flaw is not on the CISA KEV list. The bug is reachable only after a prior renderer compromise and requires user interaction, which limits drive-by exploitation but makes it a key second-stage primitive in a full browser chain.

Technical ContextAI

The flaw lives in Chrome's Accessibility (a11y) component on macOS, which bridges the sandboxed renderer process to the more privileged browser process so it can expose DOM/UI semantics to assistive technologies like VoiceOver. CWE-20 (Improper Input Validation) indicates that messages or data crossing this renderer→browser IPC boundary are not adequately sanitized, so a malicious renderer can send unexpected accessibility input that the browser-side handler mishandles, breaking the sandbox isolation that normally contains renderer compromises. The CPE cpe:2.3:a:google:chrome covers desktop Chrome, but the description explicitly scopes impact to the macOS build, where the accessibility implementation differs from Windows/Linux due to its reliance on the NSAccessibility APIs.

RemediationAI

Vendor-released patch: Chrome 149.0.7827.115 for macOS - upgrade immediately via the stable channel as documented at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html. In managed fleets, push the update via MDM (Jamf, Intune, Kandji) and force a browser relaunch so the renderer/browser processes pick up the fix; verify by checking chrome://version. As a temporary compensating control on hosts that cannot be patched quickly, restrict browsing to trusted sites via enterprise policy (URLBlocklist/URLAllowlist) to reduce exposure to attacker-controlled HTML pages that could deliver a renderer-RCE-plus-this-escape chain - note this materially impacts user productivity. Disabling assistive technology integration is not a reliable mitigation since the accessibility tree is built regardless of whether a screen reader is attached.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-36330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy