CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
A use-after-free flaw in Chrome's PerformanceManager could let an attacker escape the browser sandbox if they've already compromised the rendering engine. The attack requires a specially crafted web page and user interaction, but success could grant full system access. This affects Chrome versions before 148.0.7778.216.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in PerformanceManager in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10001 is a use-after-free vulnerability (CWE-416) in the PerformanceManager component of Google Chrome. The flaw exists in versions prior to 148.0.7778.216. An attacker with renderer-process compromise can trigger the vulnerability through a malicious HTML page to potentially escape Chrome's security sandbox. The CVSS 3.1 score of 8.3 reflects the high severity due to the attack's potential to achieve arbitrary code execution with system-level privileges, though the attack requires both renderer compromise and user interaction.
Business impact
Successful exploitation could allow attackers to break out of Chrome's sandbox and gain unauthorized access to the underlying operating system. Organizations relying on Chrome as a security boundary for untrusted content face elevated risk. The impact spans confidentiality, integrity, and availability of affected systems. However, the attack requires a prior compromise of the renderer process, limiting the immediate threat surface to scenarios where other browser vulnerabilities or social engineering have already granted initial access.
Affected systems
Google Chrome versions prior to 148.0.7778.216 are vulnerable on all supported platforms: Windows, macOS, and Linux systems running vulnerable Chrome instances. The vulnerability is not specific to a particular OS; any user of affected Chrome versions is at risk when visiting a malicious site after the renderer process has been compromised.
Exploitability
While the underlying flaw is a known memory-safety weakness, exploitation requires two preconditions: (1) prior compromise of Chrome's renderer process, and (2) user interaction to load a crafted HTML page. The CVSS vector (AC:H, PR:N, UI:R, S:C) reflects these constraints. The vulnerability is not currently listed in the CISA KEV catalog, suggesting active exploitation in the wild has not been widely documented at publication, though this does not eliminate the risk to organizations facing targeted attacks.
Remediation
Update Google Chrome to version 148.0.7778.216 or later immediately. This patch version addresses the use-after-free condition in PerformanceManager. Users should enable automatic updates to ensure timely patching. For organizations managing Chrome deployments, coordinate enterprise updates through your standard patch management process to minimize exposure windows.
Patch guidance
Verify and apply Chrome version 148.0.7778.216 or newer across all affected systems. Check your current version via chrome://version/ in the address bar. On Windows and macOS, Chrome typically updates automatically in the background and requires a browser restart to activate; monitor for pending updates in the settings menu. On Linux, use your distribution's package manager or the official Chrome repository. For enterprise deployments, validate patch deployment across your fleet before closing this ticket. Test patched systems against your application portfolio to confirm compatibility.
Detection guidance
Monitor for browser crashes or unexpected terminations of Chrome processes, particularly those involving PerformanceManager operations. Endpoint detection systems should flag unusual process spawning or privilege escalation attempts originating from Chrome processes. Network teams can monitor for suspicious HTML or script traffic patterns targeting known browser vulnerabilities. Log Chrome's browser history for anomalous navigation to malicious or unexpected domains. In high-security environments, restrict renderer-process access through sandbox policies and enforce the principle of least privilege for Chrome execution contexts.
Why prioritize this
Despite the sandbox-escape nature and high CVSS score, this vulnerability's real-world priority is moderated by the requirement for prior renderer compromise. Prioritize patching based on your exposure: (1) highest priority for users visiting untrusted websites or those facing sophisticated targeted attacks, (2) medium priority for general corporate users in lower-risk environments. The absence from CISA's KEV list suggests limited active exploitation to date, but organizations should not interpret this as license to delay—targeted campaigns could emerge quickly.
Risk score, explained
The CVSS 8.3 (HIGH) reflects a severe vulnerability with high impact potential (confidentiality, integrity, and availability all rated H). The score is tempered by moderate attack complexity (AC:H) and the requirement for user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the security scope of the vulnerable component—this is the sandbox-escape aspect. While the attack vector is network-based and requires no privileges, the cumulative effect of these factors yields a score in the upper-HIGH band, warranting urgent but not emergency response.
Frequently asked questions
Do I need to be actively exploited to be at risk from this vulnerability?
Partially. The vulnerability itself requires prior compromise of Chrome's renderer process, which typically occurs through separate browser exploits or social engineering. However, once a renderer is compromised—a scenario increasingly common in targeted attacks—this flaw becomes a post-compromise sandbox-escape vector. If you encounter untrusted content regularly, assume the precondition could be met.
Why isn't this on CISA's Known Exploited Vulnerabilities (KEV) list?
Inclusion in KEV requires evidence of active exploitation in the wild. At publication, such evidence was not documented, likely because the vulnerability is recent and exploitation requires multiple technical steps. KEV-free status does not mean the vulnerability is low-risk; it reflects current visibility, not future threat.
Will patching Chrome break my web applications?
Chrome version updates, especially maintenance releases like 148.0.7778.216, are designed for compatibility. Security patches rarely introduce breaking changes. Test in a staging environment before broad rollout if you have mission-critical dependencies, but delays beyond a week or two are not justified by compatibility concerns.
What should I do if I'm still on Chrome 147 or earlier?
Update to 148.0.7778.216 or later immediately. Verify the current version in chrome://version/ and restart the browser or use the browser's built-in update mechanism. If automatic updates are disabled in your organization, coordinate an emergency patch cycle. Do not delay.
This analysis is based on the official CVE record and vendor advisory information available as of the publication date. CVSS scores and severity ratings are as published by the National Vulnerability Database (NVD) and represent point-in-time assessments. Actual risk to your organization depends on your environment, Chrome version, browsing habits, and security posture. This explainer provides general guidance and should not replace your organization's formal risk assessment and patch management processes. Always verify patch versions and compatibility against official vendor documentation. SEC.co does not guarantee completeness or real-time accuracy of threat intelligence; use this content in conjunction with additional security research and threat feeds appropriate to your context. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance
- CVE-2026-10884HIGHChrome Chromecast Sandbox Escape Use-After-Free