CVE-2026-10918: Chrome Viz Use-After-Free Sandbox Escape Vulnerability
A use-after-free vulnerability in Google Chrome's Viz component allows an attacker who has already compromised the browser's renderer process to potentially escape the sandbox and gain deeper system access. The attacker would need to trick a user into visiting a malicious webpage, but the actual exploitation requires prior renderer compromise, making this a multi-stage attack. While not currently known to be exploited in the wild, the vulnerability represents a meaningful privilege escalation path for sophisticated threat actors who have achieved initial browser process compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Viz in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10918 is a use-after-free condition (CWE-416) in the Viz rendering component of Chromium-based browsers. The vulnerability exists in Chrome versions prior to 149.0.7827.53. Exploitation requires two prerequisites: first, a compromised renderer process (likely achieved through a separate vulnerability or attack vector), and second, user interaction with a crafted HTML page. When these conditions are met, the use-after-free allows execution in the context of the Viz process, potentially bypassing Chrome's sandbox isolation. The CVSS 3.1 score of 8.3 reflects the high integrity and confidentiality impact despite the higher exploitation barriers.
Business impact
For enterprise environments, this vulnerability poses a risk in scenarios where attackers combine multiple exploits to achieve sandbox escape. Organizations relying on Chrome as their primary browser, particularly those in high-risk sectors, should treat this as part of a broader defense-in-depth concern. The requirement for renderer compromise means this is primarily relevant to organizations already contending with advanced persistent threats or sophisticated social engineering. However, the potential for privilege escalation once achieved warrants prompt patching, as it could enable lateral movement or unauthorized system access beyond the browser context.
Affected systems
Google Chrome prior to version 149.0.7827.53 is directly affected. The vulnerability also impacts Chrome on macOS, Windows, and Linux distributions, since it is inherent to the Chromium codebase. Any Chromium-based browser (Edge, Brave, Opera, etc.) built from the affected Chromium source may similarly be vulnerable; verify with respective vendors for patch availability and timelines. The Linux kernel itself is not directly vulnerable, but systems running Chrome on Linux are affected by the browser vulnerability.
Exploitability
Exploitation is constrained by several factors that reduce immediate risk: the attacker must first compromise the Chrome renderer process through a separate vulnerability or social engineering, the user must actively interact with the malicious page, and the attack must be precisely timed to the vulnerable code path. These requirements place this in the 'moderate' exploitability category despite the high CVSS score. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, suggesting no active weaponization has been documented at this time. However, capability development is likely among nation-state and advanced criminal groups.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome typically auto-updates, but users should manually verify their version (chrome://settings/help) and force an update if needed. On macOS, Windows, and Linux, the patched version addresses the use-after-free condition in the Viz component. For Chromium-based browsers from other vendors, check their respective security advisories and release notes for the corresponding patched version based on their Chromium branch point.
Patch guidance
Google Chrome will notify users of the available update through its built-in update mechanism. Users should allow the update to install and restart their browser to activate the patch. For enterprise deployments using Chrome Enterprise, update policies through your device management platform (MDM/UEM) or Group Policy on Windows to enforce the minimum version of 149.0.7827.53. Test the patched version in a limited pilot before organization-wide deployment to confirm stability with your web applications and extensions. Verify in chrome://version that you are running build 149.0.7827.53 or higher.
Detection guidance
Monitor Chrome version compliance across your organization using endpoint detection and response (EDR) tools or Mobile Device Management (MDM) solutions to ensure no instances remain below version 149.0.7827.53. Log suspicious renderer process behavior or crashes, particularly if accompanied by unexpected sandbox escape attempts or system-level resource access from the Chrome process. Web content filtering solutions may help prevent delivery of malicious HTML pages, though detection of the specific exploit payload is challenging without detailed indicators of compromise. Focus detection efforts on monitoring for anomalous privilege escalation events originating from browser processes on endpoints running vulnerable Chrome versions.
Why prioritize this
This vulnerability merits high-priority patching due to its CVSS 8.3 score and the potential for sandbox escape, which represents a material privilege escalation threat. While the exploitation prerequisites (renderer compromise + user interaction) reduce immediate risk compared to truly network-adjacent vulnerabilities, the consequence of successful exploitation—breaking out of the browser sandbox—is severe enough to justify rapid remediation. Organizations should treat this as part of their regular patch cycle but not defer other security activities; this is not a zero-day or imminent threat in the wild. Prioritize based on your environment's Chrome deployment scale and risk profile.
Risk score, explained
The CVSS 3.1 score of 8.3 (HIGH) reflects: (1) High confidentiality, integrity, and availability impact (C:H/I:H/A:H), as successful exploitation breaks sandbox isolation; (2) Network exploitability (AV:N), as the crafted HTML can be served remotely; (3) Mitigating factors include High Attack Complexity (AC:H) due to the need for renderer process compromise and specific code path conditions, and Required User Interaction (UI:R) for the page visit. The 'Changed Scope' (S:C) component elevates the score because the impact extends beyond the vulnerable component (Viz) to system-level access. The score appropriately captures the severity for an advanced attack scenario but reflects that this is not a simple, one-click exploitation path.
Frequently asked questions
Does this vulnerability require a separate exploit to be useful, or can it be exploited standalone?
This vulnerability requires a two-stage attack: first, the renderer process must already be compromised (either through a separate browser vulnerability, supply-chain attack, or social engineering), and second, the victim must visit a page containing the crafted HTML. It cannot be exploited as a standalone initial attack vector, which significantly reduces real-world risk but does not eliminate it for targeted campaigns.
If I update Chrome today, am I protected?
Yes. Updating to version 149.0.7827.53 or later patches the use-after-free condition in the Viz component. Chrome's auto-update mechanism should deploy this automatically, but you can manually check chrome://settings/help to verify your current version and force an update if needed.
Does this affect Chromium-based browsers like Edge, Brave, or Opera?
Potentially, yes. These browsers are built on the same Chromium source code, so they may inherit the vulnerability depending on their build branch point. Check the security advisories from Microsoft (Edge), Brave, Opera, and other vendors for their respective patched versions. Do not assume they are automatically fixed just because Chrome is.
Is this vulnerability being actively exploited in the wild?
As of the vulnerability's public disclosure, it is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no confirmed active exploitation has been documented. However, the technique and impact make this an attractive target for advanced threat actors, so capability development may already be underway among sophisticated groups.
This analysis is provided for informational purposes and reflects the vulnerability details and publicly available information as of the publication date. CVSS scores, patch versions, and KEV status are sourced from official vendor advisories and CISA records. Organizations should verify patch applicability against their specific Chromium-based browser versions and configurations. This document does not provide exploit code, weaponized proof-of-concept instructions, or targeted attack methodology. Security teams should conduct their own risk assessment based on their environment, threat model, and Chrome deployment scale. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance