Skip to main content

Google Chrome EUVDEUVD-2026-36339

| CVE-2026-12018 HIGH
Improper Privilege Management (CWE-269)
2026-06-11 Chrome GHSA-8gph-wwcq-q7w9
8.8
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.3 HIGH

Description states local attacker via malicious file, so AV:L and PR:L for an existing local user; UI:R because the victim must trigger the file; full C/I/A impact from OS-level privilege escalation.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
CRITICAL
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 12, 2026 - 02:24 vuln.today
CVSS changed
Jun 12, 2026 - 02:22 NVD
8.8 (HIGH)
CVSS changed
Jun 12, 2026 - 02:22 NVD
8.8 (HIGH)
CVE Published
Jun 11, 2026 - 20:48 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 11, 2026 - 20:48 cve.org
HIGH 8.8

DescriptionCVE.org

Inappropriate implementation in Mojo in Google Chrome on Windows prior to 149.0.7827.115 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)

AnalysisAI

Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.

Technical ContextAI

Mojo is Chromium's inter-process communication (IPC) framework that brokers messages between the sandboxed renderer, GPU, utility processes, and the privileged browser process on Windows. An inappropriate implementation in Mojo (CWE-269, Improper Privilege Management) means that privilege boundaries enforced by the Windows host process model are not correctly maintained when handling certain file-backed objects, enabling a lower-privileged context to acquire rights belonging to a higher-privileged Chrome or OS component. The CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* confirms the affected component is the Chrome browser application on Windows, with fixed code shipped in 149.0.7827.115.

RemediationAI

Vendor-released patch: Google Chrome 149.0.7827.115 on Windows, distributed through the Stable channel update referenced at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html - apply via Chrome's built-in updater or enterprise update tooling and relaunch the browser to load the fix. As a compensating control until the update propagates, restrict users' ability to download or execute untrusted files (for example, via SmartScreen, AppLocker, or Windows Defender Application Control allowlists targeting the user's Downloads directory), since the attack requires a malicious file on the host; note this can disrupt legitimate workflows that rely on ad-hoc executables. Chromium-based browsers downstream of this version (Edge, Brave, Opera) should also be checked against their vendor advisories for the same Mojo fix.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-36339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy