CVE-2026-10917: Chrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
Google Chrome versions before 149.0.7827.53 contain a media handling flaw that allows an attacker who has already compromised the browser's renderer process to escape the sandbox and gain broader system access. The vulnerability requires user interaction (visiting a specially crafted webpage) but poses a significant risk because renderer compromises are common entry points in real attacks. Once inside the renderer, the flaw gives an attacker a path to elevated privileges on the underlying operating system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient input validation in Chrome's media processing code (CWE-20). An attacker positioned with renderer process compromise can supply crafted HTML containing malformed media data that bypasses sandbox restrictions. The sandbox escape converts a limited renderer-level compromise into potential full system compromise, affecting Chrome on Windows, macOS, and Linux. The attack chain requires initial renderer exploitation, but the subsequent sandbox escape significantly amplifies impact.
Business impact
For organizations, this vulnerability represents a two-stage attack risk. First, users must be compromised at the renderer level (via malware, phishing, or prior vulnerabilities). Second, those compromises become critical if users visit attacker-controlled sites. Desktop environments relying on Chrome for work carry elevated exposure. Unpatched instances could enable lateral movement, credential theft, or malware persistence at the OS level, transforming what might be a contained browser compromise into enterprise-wide incident severity.
Affected systems
Google Chrome prior to version 149.0.7827.53 on all major platforms: Windows, macOS, and Linux systems. The vulnerability also may affect Chromium-based browsers derived from affected versions. Apple macOS, Linux kernel, and Microsoft Windows systems running vulnerable Chrome versions are the affected deployment contexts.
Exploitability
Exploitation requires two prerequisites: (1) the renderer process must already be compromised through a separate vulnerability or attack, and (2) user interaction to visit a crafted webpage. The CVSS vector reflects High complexity due to these preconditions, but in targeted attack scenarios where both conditions exist, exploitability is practical. The vulnerability is not in the CISA KEV catalog, indicating no evidence of in-the-wild exploitation at the time of initial assessment.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism will deploy patches automatically for most users within days of release. Organizations managing Chrome through group policy or mobile device management should verify deployment status across their installed base. Users who manually manage updates should initiate updates immediately.
Patch guidance
Deploy Chrome version 149.0.7827.53 or later across all endpoints. For managed environments, verify the update via About Chrome (chrome://settings/help) or consult your MDM/SCCM deployment logs. Chromium projects and derivative browsers should apply equivalent patches from their upstream. Test patches in non-production environments first if your organization runs critical workflows in Chrome.
Detection guidance
Monitor Chrome version inventory to identify instances below 149.0.7827.53. Endpoint detection and response (EDR) systems should alert on renderer process crashes followed by suspicious system calls, as sandbox escapes often leave detectable patterns in process behavior. Browser extension monitoring and suspicious HTML/media file ingestion from untrusted sources may provide early warning. Log Chrome crash reports and correlate with user web activity.
Why prioritize this
While the vulnerability requires pre-existing renderer compromise, sandbox escapes are critical because they amplify the impact of every other browser vulnerability. Organizations with high-value users (executives, developers, security teams) or those in targeted sectors should prioritize patching quickly. The High CVSS score, broad platform coverage, and risk-amplifying nature justify treating this as a near-term remediation target.
Risk score, explained
The CVSS 8.3/High score reflects high confidentiality, integrity, and availability impact (C:H, I:H, A:H) balanced against attack complexity (AC:H) due to the required renderer compromise and user interaction prerequisites. The network-accessible attack vector and scope change (S:C) indicate system-wide compromise potential. The score appropriately captures that while exploitation barriers exist, successful attacks are severe.
Frequently asked questions
Do I need to be exploited twice for this vulnerability to matter?
Effectively yes. An attacker first needs to compromise your Chrome renderer (via a separate vulnerability or malware), then trick you into visiting a malicious website to trigger the sandbox escape. However, renderer compromises are common in real attacks, making this a realistic risk in multi-stage intrusions.
Why is this not on the CISA KEV catalog if it's High severity?
KEV status reflects evidence of active, in-the-wild exploitation. This vulnerability was not observed being exploited at the time of assessment. That doesn't diminish its severity—it means defenders have a window to patch before attackers weaponize it broadly.
Does my auto-updating Chrome protect me automatically?
Yes, if auto-update is enabled (the default), Chrome will update to 149.0.7827.53 within a few days of release. Verify by checking About Chrome (chrome://settings/help). Enterprise deployments managed via policy should confirm rollout separately.
Are other Chromium browsers affected?
Potentially, if they're built from Chrome source code at versions prior to the patch. Check with your browser vendor (Edge, Brave, Vivaldi, etc.) for equivalent patches. Do not assume they're automatically protected just because Chrome is patched.
This analysis is based on vendor advisories and CVSS data current as of publication. Security posture varies by organization; consult your own risk management frameworks when prioritizing remediation. Patch version numbers and KEV status are as reported by authoritative sources and subject to change. No exploit code or detailed attack instructions are provided. Always verify patch compatibility and test updates before broad deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)