Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15122

CVE-2026-15122: Google Chrome Codecs RCE Vulnerability

CVE-2026-15122 is a remote code execution flaw in Google Chrome Codecs on Windows that enables sandbox escape through compromised renderer processes. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-15122 Overview

CVE-2026-15122 is a high-severity input validation flaw in the Codecs component of Google Chrome on Windows. Versions prior to 150.0.7871.115 fail to properly validate untrusted input processed by the browser's media codec pipeline. An attacker who has already compromised the renderer process can leverage this weakness to escape the Chrome sandbox using a crafted HTML page. The Chromium project rates the security severity as High, and the issue is tracked under [CWE-20] Improper Input Validation.

Critical Impact

Successful exploitation enables a sandbox escape from a compromised renderer, giving attackers execution outside Chrome's isolation boundary on Windows hosts.

Affected Products

  • Google Chrome on Windows prior to 150.0.7871.115
  • Chromium-based browsers on Windows using the affected Codecs component
  • Downstream distributions bundling vulnerable Chromium builds

Discovery Timeline

  • 2026-07-08 - CVE-2026-15122 published to the National Vulnerability Database (NVD)
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-15122

Vulnerability Analysis

The vulnerability resides in Chrome's Codecs subsystem on Windows. The component processes media streams and related payloads delivered through web content. Insufficient validation of untrusted input allows attacker-controlled data to violate assumptions the codec pipeline makes about its inputs.

Exploitation requires an attacker to first compromise the renderer process. Renderers execute web content in a low-privilege sandbox, so a second bug is normally needed to reach system-level impact. This flaw provides that second stage by turning a renderer compromise into a sandbox escape. The high attack complexity and required user interaction reflect the multi-stage nature of the attack chain.

Root Cause

The root cause is improper input validation ([CWE-20]) inside code paths reachable by the Codecs component. Data crossing the trust boundary between renderer-supplied buffers and higher-privileged browser components is not fully sanitized. When malformed structures reach downstream logic, the resulting state confusion enables the sandbox boundary to be crossed. The condition is Windows-specific, indicating platform-dependent codec handling.

Attack Vector

Delivery occurs through a crafted HTML page loaded by a targeted user. The attacker must already control the renderer process, typically via a prior renderer exploit chained with this issue. Once the malformed codec input is processed, the attacker gains execution outside the sandbox with browser-process privileges on the Windows host. The scope change reflects impact beyond the initially compromised component.

No public proof-of-concept is available at publication time. Technical details are tracked in the Chromium Issue Tracker Entry and the Chrome Blog Update.

// No verified public exploit code is available for CVE-2026-15122.
// Refer to the Chromium issue tracker for technical details once the entry is unrestricted.

Detection Methods for CVE-2026-15122

Indicators of Compromise

  • Chrome browser processes on Windows spawning unexpected child processes outside standard renderer or utility patterns
  • Anomalous file writes or registry modifications originating from chrome.exe after visiting untrusted web content
  • Network connections from Chrome browser-process instances to previously unseen or low-reputation domains
  • Crash telemetry referencing the Codecs component in Chrome versions prior to 150.0.7871.115

Detection Strategies

  • Inventory Chrome installations across Windows endpoints and flag any build below 150.0.7871.115.
  • Alert on process lineage where chrome.exe launches shells, script interpreters, or LOLBins.
  • Correlate browser crash reports with subsequent unusual process or network activity on the same host.
  • Monitor for renderer sandbox escape patterns such as browser processes writing to autorun or startup locations.

Monitoring Recommendations

  • Ingest Chrome update and version telemetry into central logging to track patch adoption.
  • Baseline normal Chrome child-process trees and alert on deviations, particularly on Windows endpoints handling untrusted content.
  • Track EDR telemetry for behavioral chains linking web navigation, renderer crashes, and post-exploitation activity.

How to Mitigate CVE-2026-15122

Immediate Actions Required

  • Update Google Chrome on Windows to version 150.0.7871.115 or later across all managed endpoints.
  • Force-restart Chrome after deployment to ensure the patched binary is active in memory.
  • Audit Chromium-based browsers and embedded webviews on Windows for the same Codecs component and update accordingly.
  • Prioritize patching on hosts that regularly browse untrusted content or handle sensitive data.

Patch Information

Google released the fix in Chrome Stable channel version 150.0.7871.115 for Windows. Patch details and rollout notes are available in the Chrome Blog Update. Enterprise administrators should validate deployment through Chrome Browser Cloud Management or existing software distribution tooling.

Workarounds

  • Enforce Chrome auto-update via Group Policy so managed endpoints receive fixes without user action.
  • Restrict browsing to trusted sites through URL allowlisting where operational requirements permit.
  • Disable or restrict experimental media features and third-party codec extensions until patching completes.
  • Apply Windows attack surface reduction rules that block browser processes from spawning child executables.
bash
# Verify Chrome version on Windows endpoints via PowerShell
(Get-Item "C:\Program Files\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion

# Force Chrome update through the built-in updater
& "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.