VYPR
patchPublished Jun 11, 2026· Updated Jun 12, 2026· 1 source

Google Chrome 149 Patches 25 Bugs — Over a Dozen Sandbox Escapes

Key findings • 25 CVEs fixed in Chrome 149.0.7827.115 on June 11, 2026 • At least 13 CVEs are sandbox escape bugs, rated High to Critical • Three CVEs carry Chromium Critical severity: GP…

Key findings

  • 25 CVEs fixed in Chrome 149.0.7827.115 on June 11, 2026
  • At least 13 CVEs are sandbox escape bugs, rated High to Critical
  • Three CVEs carry Chromium Critical severity: GPU, WebMIDI, Accessibility
  • Two use-after-free bugs (Autofill, Views) enable heap corruption directly via HTML pages
  • CVSS 8.8 bugs in Mojo (Windows) and Autofill (Mac) are the highest scoring
  • All platforms affected: Windows, Mac, Linux, ChromeOS, Android

On June 11, 2026, Google shipped Chrome 149.0.7827.115 to patch 25 security vulnerabilities, an unusually large batch that includes a striking concentration of sandbox escape bugs that could let attackers break out of Chrome's restricted process sandbox after gaining initial code execution in the renderer.

A Wave of Sandbox Escapes

The single most important pattern in this release is the volume of bugs tagged as sandbox escapes. At least 13 CVEs—CVE-2026-12034, CVE-2026-12031, CVE-2026-12030, CVE-2026-12029, CVE-2026-12028, CVE-2026-12027, CVE-2026-12023, CVE-2026-12022, CVE-2026-12019, CVE-2026-12016, CVE-2026-12014, CVE-2026-12011, and CVE-2026-12009—allow a remote attacker who has already compromised the renderer process to escape the Chrome sandbox. The attack surface spans GPU (Android, Mac), Video (Windows), Views (Windows), Linux Toolkit Theming, Safe Browsing (Mac), Codecs (Linux/ChromeOS), Cast, WebMIDI (Windows), Accessibility (Mac), and DevTools. Most carry CVSS 8.3 and a Chromium severity of High, with CVE-2026-12010 (GPU heap buffer overflow on Android), CVE-2026-12011 (WebMIDI use-after-free on Windows), and CVE-2026-12009 (Accessibility input validation on Mac) rated Critical.

Memory Corruption and Data Leaks

Several use-after-free and heap corruption bugs are reachable directly from a crafted HTML page without requiring a prior compromise. CVE-2026-12035 is a use-after-free in Views on Windows (High, heap corruption). CVE-2026-12020 is a use-after-free in Autofill on Mac (CVSS 8.8) that also leads to heap corruption. CVE-2026-12012 is a use-after-free in Network that can be triggered by an attacker in a privileged network position (CVSS 8.1). CVE-2026-12018 is an inappropriate implementation in Mojo on Windows that allows a local attacker to escalate to OS-level privileges (CVSS 8.8). On the information-disclosure side, CVE-2026-12033 (VideoCapture out-of-bounds read, GPU process compromise), CVE-2026-12026 (Video out-of-bounds read on ChromeOS), and CVE-2026-12015 (Autofill use-after-free) each allow an attacker who has compromised the renderer to read sensitive memory.

Feature-Specific Bugs and Isolation Bypasses

A handful of bugs target Chrome features directly, enabling cross-origin data leaks or site isolation bypasses. CVE-2026-12025 is an insufficient validation bug in Network that lets a compromised renderer leak cross-origin data. CVE-2026-12024 is a DevTools policy-enforcement flaw that bypasses same-origin policy entirely. CVE-2026-12032 (Passwords on Android) and CVE-2026-12017 (Extensions) both allow a compromised renderer to bypass site isolation.

Response and Patch Status

Google addressed all 25 CVEs in Chrome 149.0.7827.115 for Windows, Mac, Linux, ChromeOS, and Android. The stable channel update was released on June 11, 2026. Users and enterprise administrators should apply the update immediately, particularly given the large number of sandbox escape paths that could turn a renderer compromise into full system access. Chrome's automatic updater will install the fix on restart, but organizations relying on managed deployment should prioritize this release.

Why This Batch Matters

While Chrome's monthly security updates routinely fix a dozen or more bugs, the June 2026 batch stands out for the sheer density of sandbox escape vectors—over half the CVEs share that post-compromise impact category. The presence of Critical-rated issues in GPU, WebMIDI, and Accessibility on multiple platforms broadens the attack surface for any adversary with a renderer exploit. For defenders, patch latency is the single variable that matters: once a renderer 0-day is available, an attacker needs only one of these sandbox escapes to achieve code execution outside the browser.

Synthesized by Vypr AI