CVE-2026-10020: Chrome Android Sandbox Escape via Skia Input Validation Flaw
A flaw in Chrome's Skia graphics library on Android allows an attacker who has already compromised Chrome's renderer process to escape the security sandbox and gain full device access. The vulnerability requires the user to visit a specially crafted webpage, but the heavy lifting—compromising the renderer first—means this is a two-stage attack. Chrome versions before 148.0.7778.216 on Android are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10020 stems from insufficient input validation in Skia, Chrome's rendering engine, when processing untrusted data. An attacker controlling the compromised renderer process can craft a malicious HTML page that triggers an out-of-bounds condition or memory corruption in Skia's code path. This allows the attacker to break out of the sandbox isolation that normally restricts Chrome renderer processes, escalating to system-level privileges on the Android device. The vulnerability is classified as CWE-20 (Improper Input Validation). Google assigned it Medium severity internally, though the CVSS v3.1 score of 8.3 reflects the high confidentiality, integrity, and availability impact when successfully exploited.
Business impact
For enterprise environments deploying Chrome on Android devices, this vulnerability poses a risk primarily in targeted attack scenarios. An attacker would first need to compromise the renderer (via another bug or watering-hole attack), then use this sandbox escape to access sensitive data, install malware, or move laterally within corporate networks. Organizations managing Android deployments should assess whether Chrome is a primary threat vector in their threat model and whether their users' threat profile warrants urgent patching. Unmanaged personal devices may face lower organizational risk but higher individual user risk.
Affected systems
Google Chrome on Android versions prior to 148.0.7778.216 are vulnerable. The underlying Android platform is listed as an affected vendor, though the vulnerability is specific to Chrome's Skia implementation rather than Android OS itself. Desktop and other platform versions of Chrome are not affected by this particular flaw. Organizations should verify Chrome version numbers across their Android fleet; version 148.0.7778.216 and later contain the fix.
Exploitability
Exploitation requires a two-stage attack: first compromising Chrome's renderer process (via a separate vulnerability or social engineering), then delivering the crafted HTML page to trigger the sandbox escape. The CVSS vector 'AC:H' (high attack complexity) and 'UI:R' (user interaction required) reflect these constraints. While not a one-click remote code execution, the impact is severe once the renderer is compromised. No public exploits are known or tracked in the CISA KEV catalog, but the design is such that a motivated attacker with capability and access to the renderer could develop working code.
Remediation
Update Google Chrome on Android to version 148.0.7778.216 or later. Organizations using mobile device management (MDM) solutions should deploy this update to managed Android devices as a priority. For unmanaged or BYOD environments, consider user communication campaigns to encourage immediate updates. Verify completion by checking Chrome version numbers in Settings > About Chrome on affected devices.
Patch guidance
Google released the fix in Chrome 148.0.7778.216. Organizations should follow their standard patch management process: test the update in a non-production environment if feasible, then roll out to all Android devices via MDM or user-directed updates. The update addresses the root cause of insufficient input validation in Skia, so no workarounds are recommended. Given the sandbox-escape nature, this patch should be treated as important rather than deferrable.
Detection guidance
Monitor for unexpected sandbox escapes or privilege elevation attempts on Android devices. EDR or MDM solutions with behavioral analysis may detect process behavior consistent with sandbox escape (e.g., renderer process spawning system-level commands). Check Chrome version numbers via MDM telemetry or device inventory tools to identify unpatched systems. Log and alert on failed or delayed Chrome updates in your fleet.
Why prioritize this
Although not yet in the CISA Known Exploited Vulnerabilities catalog, this sandbox-escape flaw merits prompt attention because: (1) it bridges from the renderer (a frequently compromised process) to system access; (2) Android is a common attack surface in BYOD and enterprise environments; and (3) the CVSS 8.3 score reflects high impact. Organizations with significant Android Chrome usage should prioritize within 30 days; others may follow standard patching cycles.
Risk score, explained
CVSS 8.3 (HIGH) reflects the worst-case scenario: an attacker who has compromised the renderer can fully escape the sandbox (C:H, I:H, A:H) and potentially access the entire device. The 'AC:H' and 'UI:R' components reduce it from Critical because the initial renderer compromise is a prerequisite and user action is needed. The 'S:C' (scope changed) indicates that impact extends beyond the vulnerable component to the broader system.
Frequently asked questions
Why does this need both a renderer compromise and a crafted HTML page?
Chrome's sandbox isolates the renderer process from system resources as a defense-in-depth layer. A bug in the renderer itself (like Skia input validation) is typically confined to that sandbox. This vulnerability allows an attacker who controls the renderer to then break out of that sandbox. So the attack chain is: Step 1 (get code in renderer via separate exploit or compromise), Step 2 (use this flaw to escape to system level).
Do desktop versions of Chrome have the same vulnerability?
No. This vulnerability is specific to Chrome on Android. Skia is used across all platforms, but the input validation flaw is in Android-specific code paths. Desktop users are not affected.
Is there a workaround if we can't update immediately?
No reliable workaround exists. The best interim measure is to restrict user browsing on Android devices to trusted sites, disable JavaScript if operationally feasible, and watch for signs of compromise. However, patching to 148.0.7778.216 or later is the only proper fix.
How do we verify that our Android devices are patched?
Open Chrome, tap Menu > About Chrome. The version number will appear; verify it shows 148.0.7778.216 or higher. For managed devices, check MDM telemetry or device inventory dashboards to audit the fleet. Some MDM solutions allow automated version enforcement and reporting.
This analysis is provided for informational purposes and is current as of the publication date. CVSS scores and severity ratings are based on vendor disclosures and standardized scoring frameworks. Actual risk to your organization depends on your specific environment, threat model, and asset criticality. Verify all patch versions and compatibility in your environment before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis; organizations should supplement this with vendor advisories and their own security assessments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10920HIGHChrome macOS WebShare Sandbox Escape Vulnerability (v149)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)