PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11095 Google CVE debrief

CVE-2026-11095 is a critical vulnerability in Google Chrome prior to version 149.0.7827.53. The issue involves insufficient validation of untrusted input in Codecs, allowing a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. This vulnerability has a CVSS score of 9.6, indicating a high severity level.

Vendor
Google
Product
Chrome
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Users of Google Chrome prior to version 149.0.7827.53 should update to the latest version to mitigate this vulnerability. Additionally, organizations and individuals who rely on Google Chrome for browsing should be aware of this vulnerability and take necessary precautions.

Technical summary

The vulnerability is caused by insufficient validation of untrusted input in Codecs in Google Chrome. This allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Ensure that Google Chrome is configured to automatically update to the latest version.

Evidence notes

The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found in the Chrome release notes [ref-4] and Chromium issue tracker [ref-5].

Official resources

CVE-2026-11095 was published on 2026-06-04T23:17:14.590Z and modified on 2026-06-05T20:27:11.703Z.