CVE-2026-10014: Chrome Android WebMIDI Sandbox Escape (CVSS 8.3)
A use-after-free memory flaw in Chrome's WebMIDI implementation on Android allows an attacker who has already compromised Chrome's renderer process to escape the sandbox through a specially crafted web page. This is a privilege escalation attack: the attacker must first breach the renderer sandbox, then exploit this vulnerability to break out and gain full device access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in WebMIDI in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10014 is a use-after-free vulnerability (CWE-416) in the WebMIDI subsystem of Google Chrome on Android versions prior to 148.0.7778.216. The flaw permits a compromised renderer process to execute arbitrary code outside the sandbox boundary via a malicious HTML page. WebMIDI is a browser API that enables web pages to access MIDI (Musical Instrument Digital Interface) devices; the vulnerability arises from improper memory lifecycle management in this component. The attack requires prior renderer compromise, making it a two-stage exploit chain.
Business impact
Organizations supporting Android users or enforcing Chrome as an approved browser face increased risk of device compromise following a web-based attack. If an attacker combines this sandbox-escape with a separate renderer vulnerability, they can escalate from browser code execution to full Android device control, potentially compromising sensitive data, communications, and corporate authentication. The impact is highest in BYOD environments and organizations where Chrome is the primary enterprise browser on mobile.
Affected systems
Google Chrome on Android versions before 148.0.7778.216 is directly affected. The vulnerability does not impact Chrome on desktop platforms (Windows, macOS, Linux). Android users running Chrome 148.0.7778.216 or later are protected. The WebMIDI API is not widely used in typical web applications, but any site hosting malicious code could attempt exploitation if a user has already been compromised at the renderer level.
Exploitability
Exploitability is limited by the prerequisite renderer compromise; an attacker cannot trigger this flaw from an unprivileged web context alone. However, once the renderer is compromised (via a separate vulnerability or social engineering), exploitation becomes feasible. The CVSS vector (AV:N/AC:H/UI:R) reflects network-based attack, high attack complexity, and user interaction. In the wild, this would be chained with a renderer vulnerability; no standalone, unaided exploitation path exists. KEV listing is not active, indicating limited current adversarial tracking.
Remediation
Update Chrome on all Android devices to version 148.0.7778.216 or later. Enable automatic Chrome updates through the Google Play Store settings. Organizations managing Android devices via mobile device management (MDM) solutions should deploy the patch via their management console. No workaround is available; patching is the only mitigation.
Patch guidance
Verify your Android Chrome version in Settings → About Chrome; the app will show the current version and automatically download the latest build if available. For enterprise deployments, confirm that your MDM solution is configured to enforce Chrome updates. If Chrome has not auto-updated within 24 hours, manually initiate the update via the Play Store. Prioritize devices used for high-value tasks or accessing sensitive corporate systems. Testing on a small user cohort before full rollout is recommended to ensure compatibility with your organization's web applications.
Detection guidance
Detection of active exploitation is challenging without browser-level logging. However, monitor for unusual process spawning or privilege escalation attempts on Android devices following suspicious web browsing. If available, enable Chrome's Safe Browsing alerts and review Play Store security events in your MDM dashboard. Web application firewalls cannot detect this attack in transit, as it requires a compromised renderer; focus detection efforts on post-compromise indicators such as unexpected network connections or permission escalations from Chrome processes.
Why prioritize this
Although this vulnerability requires prior renderer compromise, it is a critical sandbox-escape mechanism that amplifies the impact of other Chrome vulnerabilities. The High CVSS score (8.3) reflects the severity of the consequence (full Android device compromise), not the standalone attack likelihood. Organizations should prioritize this patch as part of their Chrome update schedule, especially if renderer-level flaws have been recently disclosed. The lack of KEV listing should not lower priority—it reflects current threat intelligence, not inherent danger.
Risk score, explained
The CVSS 3.1 score of 8.3 (HIGH) is driven by high confidentiality, integrity, and availability impact (sandbox escape enables full device control), network-based attack vector, but mitigated by high attack complexity and requirement for user interaction and prior compromise. This score appropriately reflects the *consequence* of exploitation, not the *likelihood* without a renderer vulnerability. Organizations should contextualize this within their renderer vulnerability exposure: if your Chrome users face active renderer exploits, this sandbox-escape becomes a critical follow-on threat.
Frequently asked questions
Do I need to patch if my users only use Chrome for email and web browsing?
Yes. Although WebMIDI is not commonly used, an attacker could craft a deceptive page appearing to serve legitimate content while exploiting this flaw after achieving renderer compromise via a separate vulnerability. Patching removes the sandbox-escape path and should be treated as routine maintenance.
Is this vulnerability exploited in the wild?
As of the advisory date, CVE-2026-10014 is not tracked in the CISA KEV catalog and no public reports of active exploitation have emerged. However, the vulnerability is high-severity and could be incorporated into advanced attack chains. Do not assume absence from KEV means low risk in your specific environment.
Can I disable WebMIDI to prevent exploitation?
Chrome does not offer a granular setting to disable WebMIDI without affecting broader site functionality. Patching is the primary remediation. If your organization prohibits MIDI device access, MDM policies restricting Chrome permissions may provide defense-in-depth, but should not substitute for patching.
Does this affect Chrome on iOS?
No. iOS Chrome is built on WebKit, not Chromium, and does not include the same WebMIDI implementation. Android Chrome users are the only affected population.
This analysis is provided for informational purposes and does not constitute legal, security, or investment advice. CVE-2026-10014 details are derived from Chromium security advisories and CVSS specifications. Organizations should verify patch applicability and compatibility in their specific environments before deployment. SEC.co makes no warranty regarding the completeness or accuracy of threat intelligence; always consult official vendor advisories for authoritative guidance. Mention of this vulnerability does not imply current active exploitation in any organization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment