CVE-2026-10905: Chrome Sandbox Escape via Use-After-Free in Network Code
A memory safety flaw in Google Chrome's network code allows an attacker who has already compromised the browser's renderer process to escape the sandbox and gain full system access. The vulnerability requires user interaction (opening a malicious HTML page) but poses significant risk because successful exploitation bypasses Chrome's core security boundary—the sandbox that isolates the browser from the operating system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10905 is a use-after-free vulnerability (CWE-416) in the Network component of Chromium prior to version 149.0.7827.53. A compromised renderer process can trigger memory corruption through crafted HTML, potentially achieving sandbox escape. The attack surface is remote but requires renderer compromise as a precondition; however, renderer compromises via malicious web content are common in real-world attack chains. The vulnerability earned a Chromium security severity rating of High and a CVSS v3.1 score of 8.3.
Business impact
Successful exploitation transforms a browser compromise into full system compromise. An attacker gains the ability to read sensitive data, modify files, install malware, or pivot to other systems on the network. For organizations, this directly threatens confidential information accessed through Chrome and increases the blast radius of web-based attacks. Users who browse untrusted content face elevated risk of complete system takeover.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. The vulnerability also affects systems running Chrome on Apple macOS, Microsoft Windows, and Linux platforms, as well as Linux kernel environments where Chrome may be deployed. Any environment running an outdated Chrome version is at risk.
Exploitability
Exploitation requires two conditions: first, the attacker must compromise the Chrome renderer process (typically via a malicious webpage or web-based exploit), and second, the user must be tricked into visiting a crafted HTML page. The CVSS vector reflects these constraints (AC:H for attack complexity, UI:R for user interaction required). While not trivially exploitable by unauthenticated remote actors, the attack is feasible in targeted campaigns and poses material risk given the prevalence of renderer exploits in the wild.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically rolls out patches within days; however, users should verify their version under Settings > About to confirm they are running a patched build. For enterprise deployments, enforce Chrome version policies to block outdated releases.
Patch guidance
Google Chrome patches are released regularly through the auto-update channel. Verify your installed version by navigating to Settings > About > Chrome; the browser will check for updates automatically and restart to apply them. Users on managed deployments should coordinate patch schedules with their IT team to ensure timely deployment of version 149.0.7827.53 or later across the organization.
Detection guidance
Monitor Chrome process activity for abnormal memory access patterns or inter-process communication that could indicate sandbox escape attempts. Desktop security tools should alert on processes spawned by Chrome with elevated privileges. Network-level detection is limited; focus on endpoint telemetry to identify post-compromise behavior such as unusual file system access, registry modifications (on Windows), or child process creation. Consider monitoring for indicators of compromise (IoCs) related to known renderer exploits that might precede sandbox escape attacks.
Why prioritize this
This vulnerability merits high priority because it enables sandbox escape—a critical security boundary bypass. Although it requires renderer compromise as a precondition, renderer compromises are relatively common in targeted attacks. Organizations should prioritize patching to eliminate this attack vector, particularly if their users access untrusted web content or high-value web applications. The CVSS score of 8.3 and Chromium's High severity rating reflect the severity of potential impact.
Risk score, explained
The CVSS 3.1 score of 8.3 (HIGH) reflects the combination of network accessibility (AV:N), high attack complexity due to the need for renderer compromise and user interaction (AC:H, UI:R), changed scope (S:C, indicating system-wide impact), and confidentiality, integrity, and availability impacts (C:H, I:H, A:H). The changed scope is particularly significant—it means successful exploitation is not confined to the Chrome process but extends to the underlying operating system. The score appropriately elevates the risk profile due to the sandbox escape dimension.
Frequently asked questions
What does 'use-after-free' mean, and why is it dangerous?
A use-after-free occurs when code accesses memory that has already been freed and is no longer valid. Attackers can exploit this by controlling what data occupies that freed memory, leading to arbitrary code execution. In this case, the vulnerability exists in Chrome's network handling code, making it a vector for sandbox escape if the renderer process is already compromised.
I have auto-update enabled. Am I automatically protected?
Chrome's auto-update mechanism will eventually roll out version 149.0.7827.53 or later. However, the update may not be immediate, and older versions may persist if the browser has not restarted. Check Settings > About > Chrome to verify your current version and force a restart to ensure the latest patch is applied.
What is a 'sandbox escape,' and why should I care?
Chrome's sandbox isolates the browser's renderer process from the operating system. A sandbox escape allows an attacker to break out of that isolation and access system resources directly—files, memory, hardware, and other applications. This converts a browser exploit into a full system compromise.
Does this vulnerability affect me if I don't visit untrusted websites?
The attack requires both renderer compromise and user interaction (visiting a crafted page). If your browsing habits are limited to well-known, trusted sites and your organization has web filtering in place, your risk is lower. However, organizations should not rely on user behavior alone; timely patching is the most reliable mitigation.
This analysis is based on publicly available vulnerability data as of the publication date. Security research and threat intelligence are dynamic; new attack vectors or mitigations may emerge. Organizations should verify patch availability and applicability with Google Chrome's official release notes and security advisories. No exploit code, proof-of-concept, or specific attack instructions are provided. This analysis is intended for defensive security planning only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance