HIGH 8.3

CVE-2026-10919: Chrome ANGLE Use-After-Free Sandbox Escape (v149)

A use-after-free bug in Chrome's ANGLE graphics library before version 149.0.7827.53 allows an attacker who already controls the browser's rendering process to break out of the sandbox and gain full system access. The attacker must trick a user into visiting a malicious webpage, but once the renderer is compromised, this flaw provides a path to escape Chrome's isolation boundaries.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is a use-after-free condition (CWE-416) in the ANGLE graphics translation layer used by Chrome. When a compromised renderer process provides specially crafted input, a freed memory object is accessed, leading to memory corruption. The attack chain requires prior renderer compromise—typically via a separate browser vulnerability—but once achieved, the use-after-free enables arbitrary code execution in the system process context, circumventing Chrome's multi-process sandbox model. The vulnerability affects Chrome on Windows, macOS, and Linux.

Business impact

Organizations relying on Chrome as a primary browser face increased risk of full system compromise when end users visit malicious sites. If an attacker chains this sandbox-escape flaw with another Chrome vulnerability to first compromise the renderer, they gain OS-level code execution. This enables data exfiltration, lateral movement, and potential ransomware deployment. Enterprises managing heterogeneous endpoints must coordinate patching across multiple operating systems simultaneously.

Affected systems

Google Chrome versions prior to 149.0.7827.53 on Windows, macOS, and Linux are vulnerable. The flaw affects the ANGLE subsystem, which is integral to Chrome's graphics rendering pipeline. All users on these platforms with unpatched Chrome installations are at risk if they visit a site hosting both a renderer-compromise vector and the ANGLE exploit payload.

Exploitability

Exploiting this vulnerability requires a two-stage attack: first compromising the renderer process (via a separate vulnerability or social engineering), then supplying the crafted HTML payload. The CVSS vector (AC:H) reflects the high attack complexity needed to orchestrate both stages. While not zero-click, the barrier is moderate for sophisticated threat actors; opportunistic exploitation is less likely. The flaw is not currently tracked in CISA's Known Exploited Vulnerabilities catalog as of the latest advisory update.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all affected platforms. Chrome's auto-update mechanism will typically deploy the patch automatically within 24 hours; verify rollout completion in your device management console. For organizations with auto-update disabled, manual deployment should be prioritized. Test patch compatibility with line-of-business web applications before broad rollout if your environment has custom configurations.

Patch guidance

Verify Chrome auto-update is enabled in your environment; navigate to chrome://settings/help to confirm. For managed deployments, use the ChromeOS or Chrome Enterprise policies to accelerate rollout. If manual patching is required, obtain the installer from Google's official download page and validate the version post-installation. Organizations with extended support requirements should confirm version 149.0.7827.53 availability in their managed distribution channels before enforcement deadlines.

Detection guidance

Monitor Chrome process execution and graphics subsystem behavior for anomalous patterns. Endpoint detection and response (EDR) tools should flag attempts to access freed heap memory in graphics contexts or unexpected transitions from renderer processes to system-level operations. Network-level detection is limited since the payload is delivered via HTML; focus on behavioral indicators such as unexpected child processes spawned from Chrome or unusual system calls following web browsing activity. Log Chrome version information from all endpoints and cross-reference against 149.0.7827.53 to identify stragglers.

Why prioritize this

This vulnerability merits immediate patching priority due to its HIGH CVSS score (8.3) and sandbox-escape capability. While it requires prior renderer compromise, chaining it with other browser vulnerabilities creates a realistic multi-stage attack scenario that advanced adversaries actively pursue. The cross-platform impact (Windows, macOS, Linux) and integration into Chrome's core graphics pipeline amplify risk across diverse enterprise environments. Patch deployment should begin within 48 hours of release confirmation.

Risk score, explained

The CVSS 8.3 (HIGH) score reflects the combination of network-accessible attack vector, high complexity barrier, required user interaction, and critical impact across confidentiality, integrity, and availability. The score acknowledges that this is a sandbox-escape primitive rather than a remote code execution chain, but the consequences of successful exploitation—full system access—justify the HIGH severity. Scope change (S:C) is included because escaping the browser sandbox directly impacts the broader OS environment.

Frequently asked questions

Does this vulnerability allow remote code execution without user action?

No. While the attack vector is network-based, the attacker must first compromise Chrome's renderer process via a separate vulnerability or social engineering, then trick the user into visiting a crafted page. Automatic exploitation during normal browsing is not possible; however, the combination with other flaws can create multi-stage attack chains.

Are organizations using Chrome in kiosk or restricted modes at lower risk?

Partially. Kiosk deployments that isolate web access to whitelisted domains reduce the attack surface, but they are not immune if a compromised domain or trusted site is exploited. Organizations should still prioritize patching even in restricted environments, as the sandbox-escape capability poses significant risk if the initial compromise vector is present.

How does this vulnerability differ from typical Chrome vulnerabilities?

Most Chrome CVEs are renderer-process bugs. This flaw is notable because it operates at the graphics subsystem level (ANGLE) and enables sandbox escape—moving from browser-isolated code to OS-level execution. This makes it particularly dangerous as a second-stage payload in multi-vulnerability exploits.

Will Chrome's auto-update mechanism deploy this patch automatically?

Yes, if auto-update is enabled (the default for most users). Verify by navigating to chrome://settings/help; Chrome will check for updates immediately. For Enterprise deployments, consult your Chrome policy configuration to ensure rollout is not blocked by administrative constraints.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of June 2026. Patch version numbers and affected product ranges are based on official Chromium and vendor advisories; verify compatibility with your specific environment before deployment. No exploit code or weaponized proof-of-concept guidance is provided. Organizations should conduct independent risk assessment and testing in non-production environments prior to broad patch rollout. SEC.co does not warrant the completeness or accuracy of third-party advisory data and recommends cross-referencing official vendor security bulletins. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).