Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Description states local attacker via malicious file, so AV:L and PR:L for an existing local user; UI:R because the victim must trigger the file; full C/I/A impact from OS-level privilege escalation.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Inappropriate implementation in Mojo in Google Chrome on Windows prior to 149.0.7827.115 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
AnalysisAI
Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.
Technical ContextAI
Mojo is Chromium's inter-process communication (IPC) framework that brokers messages between the sandboxed renderer, GPU, utility processes, and the privileged browser process on Windows. An inappropriate implementation in Mojo (CWE-269, Improper Privilege Management) means that privilege boundaries enforced by the Windows host process model are not correctly maintained when handling certain file-backed objects, enabling a lower-privileged context to acquire rights belonging to a higher-privileged Chrome or OS component. The CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* confirms the affected component is the Chrome browser application on Windows, with fixed code shipped in 149.0.7827.115.
RemediationAI
Vendor-released patch: Google Chrome 149.0.7827.115 on Windows, distributed through the Stable channel update referenced at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html - apply via Chrome's built-in updater or enterprise update tooling and relaunch the browser to load the fix. As a compensating control until the update propagates, restrict users' ability to download or execute untrusted files (for example, via SmartScreen, AppLocker, or Windows Defender Application Control allowlists targeting the user's Downloads directory), since the attack requires a malicious file on the host; note this can disrupt legitimate workflows that rely on ad-hoc executables. Chromium-based browsers downstream of this version (Edge, Brave, Opera) should also be checked against their vendor advisories for the same Mojo fix.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36339
GHSA-8gph-wwcq-q7w9