HIGH 8.8

CVE-2026-10904: Chrome V8 Sandbox Escape Remote Code Execution

Google Chrome versions prior to 149.0.7827.53 contain a flaw in the V8 JavaScript engine that allows attackers to break out of the browser sandbox and run malicious code with full privileges. An attacker can exploit this by tricking a user into visiting a specially crafted website. Once triggered, the vulnerability bypasses Chrome's security boundary—the sandbox that normally isolates web content from the rest of the system—giving an attacker direct access to execute arbitrary code on the victim's machine.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-20, CWE-94
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10904 is a sandbox escape vulnerability in the V8 JavaScript engine within Google Chrome. The vulnerability stems from improper input validation (CWE-20), a buffer overflow or out-of-bounds access condition (CWE-119), and unsafe code evaluation mechanisms (CWE-94). When a user visits a malicious HTML page, the crafted payload triggers the flaw in V8's implementation, allowing arbitrary code execution to occur within what should be an isolated sandboxed context. The attack vector is network-based, requires minimal attacker privileges, and depends only on user interaction (visiting a link), making it practically exploitable in real-world scenarios.

Business impact

A successful exploit grants an attacker code execution at the user's privilege level on any Windows, macOS, or Linux system running vulnerable Chrome. The attacker can then steal credentials, install persistent malware, exfiltrate sensitive data, modify files, or pivot to other systems on the network. For organizations where Chrome is the standard browser, this vulnerability poses a significant risk to data confidentiality, system integrity, and operational continuity. Remote, user-driven attacks require no authentication or administrative access, making this a top priority for rapid remediation.

Affected systems

This vulnerability affects Google Chrome prior to version 149.0.7827.53 across all major operating systems: Windows, macOS, and Linux. The underlying V8 engine flaw means all browsers or applications that embed V8 may also be at risk; verify vendor advisories for Chromium-based browsers and embedded V8 usage. Apple macOS and Microsoft Windows systems running Chrome are primary targets, along with any Linux distribution with Chrome installed.

Exploitability

This vulnerability is highly exploitable. The attack requires only that a user visit a malicious website—no special browser configuration, plugin installation, or victim action beyond clicking a link is necessary. The network attack vector and low complexity mean an attacker can host the exploit on any public web server or inject it into compromised sites or ad networks. The CVSS score of 8.8 (High) reflects the combination of network accessibility, ease of exploitation, and complete compromise of confidentiality, integrity, and availability. No evidence of active exploitation in the wild has been confirmed at the time of this analysis, but the low barrier to exploitation suggests rapid weaponization is likely.

Remediation

Immediately update Google Chrome to version 149.0.7827.53 or later on all systems. Chrome typically auto-updates, but verify successful deployment by checking chrome://settings/help or the About Chrome menu. For organizations managing Chrome deployments, push updates through your endpoint management system and verify completion before considering remediation closed. Users of Chromium-based browsers (Edge, Brave, Vivaldi, etc.) should check their respective vendor advisories for patched versions, as those projects may have separate release schedules.

Patch guidance

Google has released Chrome version 149.0.7827.53 to address this vulnerability. Update immediately through the automatic update mechanism or manually via Help > About Google Chrome. Verify the update completes by restarting the browser and confirming the version number. Organizations should test the patched version in a non-production environment first to ensure compatibility with internal web applications, then stage a phased rollout to minimize disruption. For managed environments, deploy via your Mobile Device Management (MDM) or configuration management platform and monitor update compliance metrics.

Detection guidance

Look for unusual V8 crashes or browser process terminations on user systems, which may indicate exploit attempts. Monitor for unexpected child processes spawned from the Chrome process (chrome.exe or chrome binary), as successful exploitation typically leads to code execution. Endpoint Detection and Response (EDR) tools should flag attempts to allocate executable memory or hook system functions from Chrome's sandbox. Web proxy logs showing access to suspicious or newly registered domains could indicate attacker infrastructure. Monitor for abnormal outbound network connections from Chrome processes, which may signal data exfiltration post-exploitation. Intrusion detection systems should be tuned to detect malformed JavaScript or known V8 gadget chains if behavioral signatures are available.

Why prioritize this

This vulnerability demands immediate priority due to its high severity, low exploitation complexity, practical network-based attack surface, and the ubiquity of Chrome in modern computing environments. The sandbox escape escalates this beyond a typical browser vulnerability—it grants full code execution, not just access to a single web page's data. Organizations should treat this as a critical emergency patch within 24–48 hours of release to minimize the window during which attackers can exploit unpatched systems.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: (1) Network attack vector—attacker reaches targets over the internet without authentication; (2) Low attack complexity—exploitation requires no special conditions or knowledge; (3) No privileges required; (4) User interaction needed but minimal (visiting a website); (5) Impact is complete—High confidentiality, integrity, and availability loss on the sandboxed system. This score appropriately captures a sandbox escape as a critical threat. The vulnerability is not yet tracked in the CISA KEV catalog, but its high severity and ease of exploitation mean it should be prioritized as if it were actively exploited in the wild.

Frequently asked questions

Does this vulnerability require administrative privileges to exploit?

No. An attacker only needs to trick a user into visiting a malicious website. Once there, the payload executes within the Chrome process at the user's current privilege level, which is sufficient to steal data, install malware, or move laterally in a network.

Can disabling JavaScript prevent exploitation?

Not reliably. While disabling JavaScript would block many web-based attacks, this vulnerability affects V8's implementation itself. An attacker may be able to trigger the flaw through other mechanisms or convince users to re-enable JavaScript temporarily. The proper fix is to update Chrome; disabling JavaScript is not a viable long-term workaround.

Does this affect Chrome on mobile devices?

Yes. Chrome on iOS and Android both use V8 and are vulnerable to this flaw. Users should ensure automatic updates are enabled on their mobile devices and manually check for updates if using an older version.

If I use a Chromium-based browser other than Chrome (Edge, Brave, etc.), am I affected?

Possibly, depending on when those projects integrate the V8 fix. Check your browser's vendor advisory and release notes for patched versions. Each Chromium-based browser maintains its own release schedule, so patches may lag slightly behind Chrome.

This analysis is provided for informational purposes and reflects the vulnerability details as of the publication date. CVSS scores, CWE classifications, and affected product lists are derived from official CVE and vendor sources and should be verified against the most current advisories from Google Chrome Security and respective operating system vendors. Patch version numbers should be confirmed against official vendor release notes before deployment. This document does not constitute legal advice or a guarantee of security. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. SEC.co makes no warranty regarding the completeness or accuracy of exploit detection signatures or remediation guidance provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).