CVE-2026-12027
Published: 11 June 2026
Summary
CVE-2026-12027 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-36347
Vulnerability details
Inappropriate implementation in Headless in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape after renderer compromise directly matches Escape to Host.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
CONOPS explicitly defines intended operational roles, procedures, and privilege usage, reducing the likelihood of unnecessary privileges being assigned or retained during system operation.
Workforce programs emphasize least-privilege principles, directly reducing unnecessary privilege assignments.
Least-privilege engineering principle directly reduces execution with unnecessary privileges.
Mandatory hardware separation makes it harder to run code with unnecessary privileges by isolating privilege domains.
Policy promotes least privilege by defining necessary privileges and management commitment to them.
Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights.
Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges.
Implements a reliable, tamperproof protection mechanism whose completeness can be assured.