PatchSiren cyber security CVE debrief

CVE-2026-12011 Google CVE debrief

CVE-2026-12011 is a high-severity vulnerability in Google Chrome on Windows, allowing a remote attacker to potentially perform a sandbox escape via a crafted HTML page. The vulnerability is caused by a use-after-free issue in WebMIDI. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser.

Vendor: Google
Product: Chrome
CVSS: HIGH 8.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-11
Original CVE updated: 2026-06-12
Advisory published: 2026-06-11
Advisory updated: 2026-06-12

Who should care

Users of Google Chrome on Windows, particularly those who browse the web and may encounter crafted HTML pages.

Technical summary

The vulnerability is caused by a use-after-free issue in WebMIDI, which allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The CVSS score for this vulnerability is 8.3, indicating a high severity.

Defensive priority

High

Recommended defensive actions

Update Google Chrome to version 149.0.7827.115 or later.
Use a web browser that is not vulnerable to this issue.
Be cautious when clicking on links or visiting websites from unknown sources.

Evidence notes

The CVE record and NVD detail can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-12011) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-12011), respectively. Additional information can be found in the vendor advisory at [ref-4](https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html).

Official resources

CVE-2026-12011 CVE record
CVE.org
CVE-2026-12011 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Source reference
[email protected] - Issue Tracking, Permissions Required

CVE-2026-12011 was published on 2026-06-11T22:16:53.597Z and modified on 2026-06-12T17:20:13.367Z.