CVE-2026-12027 Google CVE debrief

Who should care

Users of Google Chrome prior to version 149.0.7827.115 should update to the latest version to mitigate this vulnerability. Additionally, administrators and security teams responsible for managing Chrome deployments should prioritize patching to prevent potential sandbox escapes.

Technical summary

The vulnerability is caused by an inappropriate implementation in Headless in Google Chrome. This could allow a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Defensive priority

High

Recommended defensive actions

• Update Google Chrome to version 149.0.7827.115 or later.
• Review and apply the vendor advisory: [ref-4](https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html).
• Monitor issue tracking for additional information: [ref-5](https://issues.chromium.org/issues/517517155).

Evidence notes

The CVE record for CVE-2026-12027 can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-12027). The NVD detail page is available at [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-12027).

Official resources