CVE-2026-10909: Chrome Dawn Use-After-Free Sandbox Escape Vulnerability (CVSS 8.3)
A use-after-free vulnerability in Google Chrome's Dawn graphics engine allows an attacker who has already compromised the browser's renderer process to escape the sandbox through a malicious webpage. This is a high-severity issue because it bridges two separate security boundaries—first gaining control within Chrome's renderer, then breaking out to execute arbitrary code on the underlying operating system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10909 is a use-after-free condition (CWE-416) in Dawn, Chrome's WebGPU implementation and graphics abstraction layer. The vulnerability exists in Chrome versions prior to 149.0.7827.53. An attacker must first compromise the renderer process (typically via JavaScript or WebGL exploit), then craft a malicious HTML page that triggers unsafe memory access in Dawn. This leads to a sandbox escape, allowing code execution at the OS privilege level rather than confined within Chrome's security boundary. The Chromium security team rated this as high severity due to the sandbox escape capability.
Business impact
A successful exploitation chain could allow attackers to gain full system compromise on any employee machine running a vulnerable Chrome version. This is particularly concerning in environments where users cannot be prevented from visiting untrusted websites. Unlike many renderer vulnerabilities contained within the sandbox, this one permits lateral movement to the host OS, making it suitable for targeted attacks against high-value individuals or organizations. Organizations should prioritize patching to prevent credential theft, data exfiltration, or malware installation at the OS level.
Affected systems
Google Chrome on Windows, macOS, and Linux distributions is directly affected. All versions prior to Chrome 149.0.7827.53 are vulnerable. While the vulnerability list includes references to Windows, macOS, and Linux kernel entries, the vulnerability is a Chrome-specific issue; patching Chrome itself is the primary mitigation. Users on all platforms should update immediately.
Exploitability
Exploitation requires two preconditions: (1) the attacker must first compromise Chrome's renderer process, typically via a separate graphics or JavaScript vulnerability, and (2) the user must visit a page crafted by the attacker. This is not a one-click remote code execution; it is part of a chain attack. However, the barrier to entry is not exceptionally high—renderer compromises via WebGL or JavaScript are relatively common, and users routinely visit untrusted content. The CVSS vector (AC:H) reflects the need for high attack complexity to trigger the use-after-free reliably, but once achieved, it grants full sandbox escape. This is not currently known to be exploited in the wild (KEV status is false).
Remediation
Immediate action: Update Google Chrome to version 149.0.7827.53 or later. Users should enable automatic updates to receive patches automatically. Organizations should verify deployment across all endpoints and consider blocking older Chrome versions via policy if feasible. This should be treated as a high-priority patch due to the sandbox escape nature.
Patch guidance
Google Chrome will automatically update to 149.0.7827.53 or later if automatic updates are enabled. Administrators can verify patching by checking chrome://version and confirming the version is 149.0.7827.53 or higher. For enterprise deployments, use the official Chrome Enterprise documentation to manage updates via group policy (Windows) or MDM (macOS/Linux). Verify vendor advisories against the Chromium security tracker to confirm that your version number matches the patched release.
Detection guidance
Monitor for Chrome crashes or renderer process restarts, which may indicate failed exploitation attempts. Endpoint detection and response (EDR) tools should monitor for unusual child processes spawned by Chrome or the Chromium process attempting OS-level system calls. Network monitoring may detect initial compromise attempts via malicious graphics content. Check for unexpected Chrome extensions or policy changes that might indicate post-compromise activity. Organizations should ensure Chrome crash reporting is enabled to capture telemetry.
Why prioritize this
This vulnerability merits urgent patching because it provides a sandbox escape path. While it requires a prior renderer compromise, the combination of two vulnerabilities (one in renderer, one in Dawn) is a realistic attack chain. The CVSS 8.3 rating reflects the high impact (integrity, confidentiality, availability) and the broad scope (escape from sandbox to host). Attacks targeting this vulnerability would likely be selective and sophisticated rather than indiscriminate worms, but the damage potential is extreme.
Risk score, explained
CVSS 3.1 score of 8.3 (HIGH) is calculated as: Network-accessible attack vector (AV:N), high attack complexity to reliably trigger the use-after-free condition (AC:H), no privileges required (PR:N), user interaction required to visit malicious page (UI:R), and scope change because it escapes the sandbox (S:C). The impact ratings (C:H, I:H, A:H) reflect that successful exploitation grants full OS-level code execution capability. The score appropriately reflects a serious but not critical vulnerability due to the attack complexity and prerequisite renderer compromise.
Frequently asked questions
Does this vulnerability affect Chrome on my phone?
Yes, if you are using Chrome on Android or iOS and the version is prior to 149.0.7827.53. However, the exploitation chain requires renderer compromise followed by sandbox escape; the practical impact may differ on mobile due to different sandbox models. Update to the latest version regardless.
I have automatic updates enabled—do I need to do anything?
No, you should receive the patch automatically. Verify by navigating to chrome://version and confirming your version is 149.0.7827.53 or higher. If you see an older version, restart your browser to complete the update.
Is this vulnerability being actively exploited?
No, this vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog and has not been publicly weaponized. However, the sandbox escape capability makes it valuable to sophisticated attackers, so proactive patching is important.
What if I cannot update Chrome immediately due to compatibility with a business application?
Test the newer Chrome version in a sandbox environment with your critical applications before wide deployment. If incompatibility is confirmed, consider additional mitigations such as blocking JavaScript execution for untrusted sites or restricting employee browsing to whitelisted domains, but these are not substitutes for patching.
This analysis is based on publicly available vulnerability data and Chromium security advisories as of the publication date. Patch version numbers and affected product versions should be verified against official vendor announcements before deployment. No exploit code or proof-of-concept details are provided. Organizations should conduct their own risk assessment and testing before applying patches in production environments. This document is for informational purposes and does not constitute professional security advice specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance