CVE-2026-10908: Chrome FullScreen Use-After-Free Sandbox Escape on Windows
A use-after-free vulnerability exists in Google Chrome's full-screen functionality on Windows systems. An attacker who has already compromised Chrome's rendering engine could exploit a specially crafted web page to escape the browser sandbox and execute arbitrary code with higher privileges. This requires the attacker to have initial renderer process access, but once achieved, the flaw could allow them to run code outside the sandbox protection layer.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10908 is a use-after-free vulnerability (CWE-416) in the FullScreen component of Chromium-based Google Chrome running on Windows. The vulnerability exists in versions prior to 149.0.7827.53. An attacker with a compromised renderer process can craft a malicious HTML page that references a freed memory object, leading to memory corruption. This memory corruption can be leveraged to achieve a sandbox escape, allowing code execution in the host Windows context rather than within Chrome's restricted sandbox environment.
Business impact
Sandbox escape vulnerabilities are strategically significant because they transform a browser compromise into a full system compromise. If an attacker tricks a user into visiting a malicious website via phishing or drive-by download, and Chrome is already vulnerable, the attacker gains OS-level code execution. This enables credential theft, malware installation, lateral movement within corporate networks, and persistence mechanisms. For organizations, this means endpoint protection must assume modern browsers are a critical attack surface.
Affected systems
Google Chrome versions prior to 149.0.7827.53 running on Microsoft Windows are affected. Desktop and laptop systems running vulnerable Chrome builds are at risk. Chromium-based derivatives (Edge, Brave, Opera, etc.) may also be affected depending on their patching timeline and version alignment with the upstream Chromium fix. Verify your specific browser version and derivative's patch status through their respective security advisories.
Exploitability
Exploitation requires two conditions: (1) the renderer process must already be compromised, typically via a separate web-based exploit or vulnerability, and (2) the user must visit or be directed to a crafted HTML page. The CVSS vector reflects high complexity (AC:H) due to sandbox escape exploitation difficulty, but the user interaction requirement (UI:R) is met through standard web navigation. Active exploitation in the wild has not been confirmed in the KEV database as of the latest update, but the attack chain is feasible for well-resourced threat actors.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Use Chrome's built-in auto-update feature or manually check Settings > About Google Chrome to verify the latest version is installed. For organizations, enforce automated Chrome updates via Windows Group Policy (for managed deployments) or mobile device management (MDM) policies. Additionally, consider defense-in-depth: keep Windows and all software updated, deploy browser isolation technology for high-risk users, and maintain endpoint detection and response (EDR) tools to catch initial renderer exploits before sandbox escape is attempted.
Patch guidance
Google Chrome 149.0.7827.53 and later contain the fix. Verify your Chrome version in Settings > About Google Chrome—this will show your current version and auto-download available updates. For enterprise deployments using Google Chrome Enterprise, configure the Chrome Update policies to enforce installation. Test patches in a non-production environment first if you manage centralized Chrome instances. Chromium-based browsers (Microsoft Edge, Brave, Opera) should check their official security advisories for corresponding patch versions, as they may lag upstream Chromium releases.
Detection guidance
Monitor Chrome crash reports and renderer process termination events; exploitation attempts may trigger memory protection exceptions before sandbox escape succeeds. EDR solutions should flag unusual child process creation from chrome.exe, especially processes spawning with SYSTEM or elevated privileges. Web proxy logs and DNS records can help identify malicious domains hosting exploit pages. Inspect browser extension and plugin install events for suspicious additions post-breach. Correlate renderer exploitation signatures (if available in your EDR vendor's ruleset) with successful sandbox escape indicators such as unexpected Windows API calls from Chrome processes or creation of persistence mechanisms.
Why prioritize this
This vulnerability earns HIGH priority because sandbox escape in a widely deployed, always-on application (Chrome) amplifies impact significantly. A single successful exploit grants an attacker OS-level persistence and lateral movement capability. Although active exploitation is not yet confirmed in public KEV records, threat actors routinely chain browser exploits with sandbox bypasses in targeted campaigns. Organizations should prioritize patching within their standard browser update cycle, typically 1–2 weeks, and accelerate for high-risk user groups (executives, developers, security staff).
Risk score, explained
The CVSS 3.1 score of 8.3 (HIGH) reflects the confluence of network attack vector (AV:N), high complexity due to sandbox escape difficulty (AC:H), no privilege requirement to visit a web page (PR:N), required user interaction to click a link (UI:R), changed scope to impact system and network (S:C), and high confidentiality, integrity, and availability impact (C:H/I:H/A:H) once exploitation succeeds. The score appropriately emphasizes the privilege escalation and system-wide implications of a successful sandbox break, balanced by the requirement for an attacker to first compromise the renderer process via a separate vulnerability.
Frequently asked questions
Does this vulnerability affect Chrome on macOS or Linux?
The CVE description specifies Windows systems. Chromium's vulnerability was fixed in version 149.0.7827.53 for all platforms, so other operating systems likely received the same upstream fix. However, verify the patch status for non-Windows Chrome through Google's official security releases page and your OS vendor's Chrome documentation.
What happens if I'm running Chrome with a compromised renderer process but don't visit the malicious page?
The vulnerability cannot be exploited in isolation. An attacker must first compromise the renderer process (via a separate exploit or social engineering) and then trick you into visiting a page containing the use-after-free trigger. Without both conditions, your system remains secure from this specific flaw.
Are Chromium-based browsers like Microsoft Edge or Brave affected?
They likely are, since they use the same Chromium source code. However, patch release dates vary by vendor. Microsoft Edge typically patches within days of Chromium updates; smaller projects may lag. Check Microsoft, Brave, and Opera's security advisories for their specific patch versions and timelines.
Do I need to uninstall and reinstall Chrome, or is an update sufficient?
A standard update is sufficient. Chrome's auto-update mechanism will download and install version 149.0.7827.53 automatically. You may need to restart Chrome or your computer depending on your settings. Manual reinstallation is not necessary unless auto-update has failed persistently.
This analysis is based on the official CVE record and Chromium security advisory published as of the source data date. Exploit code or detailed proof-of-concept instructions are not provided. Organizations should verify patch availability and compatibility in their specific environment before deployment. This intelligence is provided as-is for defensive purposes only. Consult Google's official security release blog and your vendor's security advisories for the most current information and additional context. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability