HIGH 8.3

CVE-2026-10884: Chrome Chromecast Sandbox Escape Use-After-Free

A use-after-free memory vulnerability exists in Google Chrome's Chromecast component that could allow an attacker to escape the browser's sandbox if the attacker has already compromised the renderer process. The vulnerability requires user interaction and specific browser conditions, but successful exploitation could grant an attacker unauthorized access to the host system. Google has assigned this a Critical severity rating within Chromium's threat model.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Chromecast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10884 is a use-after-free vulnerability (CWE-416) in the Chromecast subsystem of Google Chrome versions prior to 149.0.7827.53. The flaw permits a threat actor who has successfully compromised the browser's renderer process to craft a malicious HTML page that triggers unsafe memory access, potentially enabling a sandbox escape. The vulnerability requires network-level access and user interaction to initiate the attack chain. CVSS 3.1 assigns it a score of 8.3 (HIGH severity) with attack vector network, attack complexity high, and impact across confidentiality, integrity, and availability.

Business impact

Successful exploitation chains renderer compromise with sandbox escape, effectively granting attackers kernel-level or system-level code execution on affected machines. This undermines Chrome's multi-process security architecture. Organizations with high-risk user populations or those running untrusted content in Chrome face elevated risk of host compromise, data exfiltration, and lateral movement. Delayed patching extends the window during which a compromised renderer becomes a stepping stone to full system control.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are vulnerable. The vulnerability affects Chrome deployments across Windows, macOS, and Linux systems. Related kernel or OS versions may also be impacted depending on integration points, though the vulnerability is primarily a Chrome application-level issue. Organizations should audit Chrome deployment versions and prioritize patching across all platforms.

Exploitability

Exploitation requires two preconditions: (1) the renderer process must already be compromised, typically via a separate vulnerability or malicious webpage, and (2) the user must interact with the crafted HTML page. The attack complexity is rated high, meaning exploitation depends on specific runtime conditions and memory state. While not trivial, the technique is within reach of sophisticated threat actors. The lack of CISA KEV listing suggests no known public exploits have been formally disclosed or widely observed in the wild as of the latest advisory update.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all affected systems. Verify the update through Chrome's Settings > About menu to confirm automatic or manual patching. For enterprise deployments, use managed update policies to enforce timely rollout. Additionally, reinforce defense-in-depth practices: restrict renderer-process attack surface by disabling unnecessary plugins, enforce sandboxing policies, and monitor for suspicious child process activity as an indicator of sandbox escape attempts.

Patch guidance

Google has released Chrome 149.0.7827.53 as the stable release addressing this vulnerability. Verify patch installation by navigating to chrome://version in the browser address bar. For managed Chrome deployments (Windows, macOS, Linux), confirm that enterprise update channels have propagated the fix. Test the patch in a non-production environment before full rollout. Confirm no web application compatibility regressions occur post-update. Organizations with auto-update enabled will receive the patch; those with manual update policies should schedule patching within their change management windows.

Detection guidance

Monitor Chrome process behavior for anomalies indicating sandbox escape attempts: (1) unusual child processes spawned from the Chrome process, particularly those with elevated privileges or unexpected executable paths, (2) Chrome renderer process crashes followed by suspicious system-level activity, (3) unexpected network connections or file access initiated outside normal Chrome behavior. Endpoint detection and response (EDR) tools should alert on memory corruption indicators and abnormal process tree structures. Log Chrome crash reports and correlate them with subsequent system compromises. Additionally, web filtering should block known malicious HTML payloads associated with Chromecast exploitation attempts.

Why prioritize this

Although CVSS is 8.3 (HIGH) rather than critical at the CVSS level, the Chromium severity is Critical and the exploit chain bypasses browser sandboxing—a foundational security boundary. The vulnerability poses significant risk to organizations because successful exploitation grants system-level access. The absence of a KEV listing and apparent lack of public exploit code suggests a narrow exploitation window before weaponization. Prioritize patching above routine updates but below actively exploited 0-days.

Risk score, explained

The CVSS 3.1 score of 8.3 reflects high impact (C:H, I:H, A:H) across confidentiality, integrity, and availability, balanced by the requirement for renderer compromise and user interaction (AC:H, PR:N contextual to the renderer). The score appropriately captures that this is a severe post-compromise vulnerability rather than a direct remote code execution. Organizations should not be misled by the HIGH label; the sandbox-escape nature and system-level access potential warrant treatment as a critical-priority patch in practice.

Frequently asked questions

Does this vulnerability allow direct remote code execution without prior compromise?

No. The vulnerability requires the renderer process to be already compromised, typically via a separate vulnerability or malicious content. The attacker must then craft a specific HTML page to trigger the use-after-free and escape the sandbox. This is a post-compromise escalation vector, not a direct RCE from an unauthenticated network position.

Is this vulnerability currently being exploited in the wild?

As of the advisory date, the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no widely documented public exploits have been disclosed. However, organizations should assume sophisticated threat actors may develop exploits once the patch is public. Rapid patching is essential to minimize the exploitation window.

Do all platforms (Windows, macOS, Linux) have the same risk profile?

Yes. The Chromecast use-after-free affects Chrome across all major platforms. Windows, macOS, and Linux systems running vulnerable Chrome versions are equally at risk. Patch deployment should cover all platforms uniformly.

What should we do if we cannot patch immediately?

Implement compensating controls: disable Chromecast features in managed Chrome policies if not business-critical, restrict Chrome access to trusted websites, enforce strict content security policies, and deploy EDR solutions to monitor for sandbox escape indicators. However, treat this as temporary mitigation only; schedule patching as soon as operationally feasible.

This analysis is provided for informational purposes to assist security teams in risk assessment and remediation planning. The information is accurate as of the advisory publication date (June 4, 2026) and subsequent modification (June 17, 2026). Patch version numbers and technical details are based on official vendor advisories; verify patch status against Google Chrome's official release notes before production deployment. This vulnerability analysis does not constitute legal advice or a guarantee of patch efficacy. Organizations are responsible for testing patches in their own environments and conducting validation prior to full rollout. SEC.co makes no warranty regarding the completeness or applicability of this guidance to specific threat models or operational constraints. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).