HIGH 8.3

CVE-2026-10921: Chrome Dawn Integer Overflow Sandbox Escape Vulnerability

A flaw in Google Chrome's graphics processing library (Dawn) could allow an attacker to break out of the browser's security sandbox if they've already compromised the rendering engine. The vulnerability stems from an integer overflow—a situation where a number calculation wraps around and produces an incorrect value—that could be triggered by a specially crafted webpage. While the attacker would need to have already gained access to the renderer process, successfully exploiting this could grant them the same privileges as the operating system user running Chrome, potentially leading to full system compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-190, CWE-472
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Integer overflow in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10921 is an integer overflow vulnerability (CWE-190, CWE-472) in Dawn, the graphics abstraction layer used by Chromium-based browsers. The flaw allows an attacker with renderer process access to craft a malicious HTML page that triggers arithmetic overflow conditions, bypassing Chrome's multi-process security model and escaping the renderer sandbox. The vulnerability requires user interaction (visiting a malicious site) and relies on a prior renderer compromise, but once triggered, permits arbitrary code execution at the OS privilege level of the user running Chrome. Google rated this High severity within their internal classification scheme.

Business impact

For enterprises, this vulnerability represents a two-stage attack risk. If a user is socially engineered or compromised through another vector to visit a malicious site, an attacker could escalate from browser process isolation to full system access. This bypasses the fundamental security isolation that makes browsers relatively safe containers for untrusted content. Organizations should prioritize this alongside other sandbox-escape vulns, as it could enable lateral movement, credential theft, or deployment of persistent malware on networked workstations. Remote work and BYOD environments where Chrome is the primary browser face elevated exposure.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability is platform-agnostic; it affects Chrome running on Windows, macOS, and Linux systems. While the CVE record lists Linux kernel, macOS, and Windows as affected vendors/products, the core vulnerability resides in the Chrome/Chromium codebase itself. Verify your Chrome version and OS combination against Google's official advisory to confirm exposure. Chromium-based browsers (Edge, Brave, Opera) built from affected Chromium versions may also be impacted depending on their release cadence and inclusion of this patch.

Exploitability

Exploitation requires two preconditions: the attacker must first compromise the Chrome renderer process (via a separate vulnerability, malicious extension, or initial access), and the victim must visit a page hosting the integer overflow trigger. The CVSS vector reflects high impact (C:H, I:H, A:H) but medium accessibility due to these prerequisites (AC:H, UI:R). Active exploitation in the wild is not currently tracked in the CISA KEV catalog, suggesting either limited public PoC availability or that threat actors are reserving this as part of multi-stage chains rather than standalone attacks.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Users should enable automatic updates, which is the default configuration in modern Chrome. For enterprise environments, use Chrome policies (e.g., UpdatePolicy) to enforce minimum version requirements. Organizations running Chromium-based alternatives should check their vendors' patch releases to confirm inclusion of this fix. There is no workaround; patching is the only mitigation.

Patch guidance

Google released Chrome 149.0.7827.53 to address this vulnerability. On Windows and macOS, Chrome typically auto-updates silently during browser restarts. Linux package managers may require manual update commands or scheduled updates depending on distribution. For macOS, verify the update under Chrome menu > About Google Chrome; the browser will check for updates automatically. On Windows, Settings > About Chrome triggers the update check. Enterprise administrators should validate patch deployment via Chrome management console or device management platforms to confirm all managed instances have reached 149.0.7827.53 or later.

Detection guidance

Monitor Chrome process execution and version telemetry to ensure all instances are running 149.0.7827.53 or above. EDR platforms should flag attempts to spawn code from the Chrome sandbox with elevated privilege escalation indicators. Network-side detection is limited since the trigger is a client-side HTML page; focus on endpoint agents that can observe Chrome process behavior anomalies. Behavioral indicators of sandbox escape include unexpected child processes from chrome.exe (Windows) or chrome (Linux/macOS) with system-level privileges, or attempts to access protected OS resources from the renderer process context.

Why prioritize this

Although not currently in the KEV catalog, this vulnerability merits prompt attention due to the high CVSS score (8.3), the critical nature of sandbox escape (which undermines Chrome's core security model), and the widespread deployment of Chrome across enterprises. The requirement for prior renderer compromise means it's typically part of a multi-stage attack; prioritize patching within your standard cycle but do not delay. If you have evidence of targeted campaigns or renderer exploits in your environment, expedite this patch to critical status.

Risk score, explained

The CVSS 8.3 (HIGH) rating reflects the combination of network-reachable attack surface (AV:N), user interaction requirement (UI:R), high impact on confidentiality, integrity, and availability (C:H, I:H, A:H), and scope change (S:C—the attack crosses the sandbox boundary). The AC:H modifier acknowledges that the attacker must have already compromised the renderer, but once conditions are met, the exploit is deterministic. The score appropriately balances the remote trigger with the serious nature of sandbox escape.

Frequently asked questions

Do I need to patch this immediately, or can I wait for our regular update cycle?

Given the sandbox escape nature and CVSS 8.3 rating, patch within your normal cycle (typically 2–4 weeks) unless you have evidence of active exploitation targeting your organization. KEV status is currently false, so CISA is not mandating emergency response timelines. However, if your organization runs Chrome in a high-risk environment (defense contractor, financial institution, healthcare), prioritize sooner.

We use a Chromium-based browser like Edge or Brave. Are we affected?

Possibly. Edge and Brave derive from Chromium and will be affected if their releases include the vulnerable Chromium code. Check your vendor's security advisory and patch release notes to confirm whether version tracking aligns with Chrome 149.0.7827.53. Do not assume the patch is automatically included.

What's the difference between this vulnerability and typical Chrome bugs?

This is a sandbox escape—it breaks Chrome's multi-process security model that isolates the renderer from the OS. Most Chrome CVEs allow an attacker to crash the browser or read restricted data within the sandbox. This one potentially grants full OS-level code execution if the renderer is already compromised, making it far more dangerous for system security.

How would an attacker compromise the renderer in the first place?

Common entry points include drive-by download exploits, malicious ads, compromised extensions, or other browser vulnerabilities. Once the renderer is compromised, this integer overflow could then be chained to escape the sandbox. This is why defense-in-depth is critical: patch Chrome, use a reputable ad blocker, audit extensions, and keep other software updated.

This analysis is based on published vulnerability data available as of June 2026 and the provided CVE record. Exploit details, threat actor activity, and patch availability are subject to change. Always verify patch version numbers and compatibility against official Google Chrome security advisories before deployment. Organizations should conduct internal risk assessment based on their specific Chrome deployment architecture, user base, and threat model. SEC.co provides this intelligence for informational purposes; consult your security team and vendor advisories for definitive remediation guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).