CVE-2026-12027

Critical · CVSS 9.6

Google Chrome Headless — Sandbox escape via inappropriate implementation in Headless renderer

CVSS: 9.6; nvd
EPSS: —
KEV: No
Class: kernel local; CWE-250, CWE-693

Description

Inappropriate implementation in Headless in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Search profile — drives PoC discovery

Symbols Headlessrenderer processsandbox escapecrafted HTML pageChromiumHeadlessheadless chrome--headless

Keywords CVE-2026-12027Chrome Headless sandbox escapeChromium 149.0.7827.115renderer sandbox escapeChromium Headless inappropriate implementationissues.chromium.org 517517155Chrome headless renderer compromise

Versions: < 149.0.7827.115

References

https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html
https://issues.chromium.org/issues/517517155

Status: enriched · ingested 2026-06-13T06:00:30.000Z · profiled 2026-06-16T18:19:23.017Z