HIGH 8.3

CVE-2026-10924: Chrome Integer Overflow Sandbox Escape Vulnerability

A mathematical error in Chrome's Chromecast component allows an attacker who has already compromised Chrome's rendering engine to break out of the browser sandbox and gain full system access. The attacker needs to trick a user into visiting a malicious webpage while the renderer is already compromised. This is a serious vulnerability because sandbox escape means the attacker moves from limited browser permissions to unrestricted control of the entire device.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-190, CWE-472
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Integer overflow in Chromecast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10924 is an integer overflow vulnerability (CWE-190) in the Chromecast handling code within Chromium prior to version 149.0.7827.53. The vulnerability permits an attacker with prior control of the renderer process to exploit unsafe integer arithmetic when processing crafted HTML, triggering memory corruption that enables sandbox escape. The security model assumes the renderer is sandboxed; this bug breaks that containment, allowing arbitrary code execution at system privilege level. The attack requires user interaction (the victim must load a malicious page) but no authentication, and can affect systems across multiple operating systems running vulnerable Chrome versions.

Business impact

Successful exploitation grants an attacker complete control over an affected workstation or device. This moves the threat from a confined browser context to the operating system kernel level, enabling theft of sensitive data, installation of persistent malware, lateral movement within corporate networks, and compliance violations. Organizations with policies restricting admin elevation will see those controls bypassed. The impact is critical for environments where developers, researchers, or staff using Chrome access sensitive data or systems.

Affected systems

Google Chrome versions prior to 149.0.7827.53 on all major platforms (Windows, macOS, and Linux systems with Linux kernel) are affected. Users of Chromium-based browsers may also be at risk depending on their patch status relative to the upstream fix. Verify your current Chrome version via Chrome Menu > About Chrome and compare against version 149.0.7827.53.

Exploitability

Exploitation requires two preconditions: the attacker must first compromise the Chrome renderer process (via a separate vulnerability or supply chain attack) and then trick the user into loading a crafted HTML page. While the sandbox escape itself is reliable once triggered, the need for prior renderer compromise and user action limits the attack surface compared to a direct remote code execution. However, given the prevalence of browser-based attack chains, the risk remains substantial in practice.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. On Windows, use Chrome > Settings > About Chrome; the browser will auto-download and prompt for restart. On macOS, the same menu path applies; restart the browser to apply the patch. Linux users should update their distribution-provided Chrome package or download directly from Google. Verify the update by checking Settings > About Chrome displays version 149.0.7827.53 or higher. Restrict user access to untrusted websites if immediate patching is delayed.

Patch guidance

Google released the fix in Chrome 149.0.7827.53. Auto-update is enabled by default; most users will receive the patch within 24–48 hours of release. For enterprise deployments, verify Chrome update policy is active and consider forcing a restart during maintenance windows. No workarounds exist; patching is the only mitigation. Test the update in a non-production environment if your organization has custom Chrome configurations. If your organization uses a centralized Chrome management system, confirm the patch version is staged and rolled out to all endpoints.

Detection guidance

Monitor Chrome process behavior for attempts to escape sandbox boundaries, such as unexpected system calls or memory mapping operations. In detection engineering, look for Chrome renderer processes attempting direct kernel access or spawning child processes with escalated privileges. Network-based detection is limited since the attack requires user interaction on the victim's machine; focus on host-based indicators such as unusual Chrome memory access patterns or process spawning. Check web proxy and DNS logs for accesses to known malicious sites that host exploit pages, though attribution is difficult. Endpoint Detection and Response (EDR) tools should alert on Chrome sandbox escape patterns if configured with appropriate behavioral rules.

Why prioritize this

This vulnerability merits immediate attention because sandbox escape represents a critical jump in attacker capability: from confined browser process to full system control. The CVSS 8.3 HIGH score reflects the high impact (confidentiality, integrity, availability) and the requirement for user interaction as the main limiting factor. Although the CISA KEV catalog has not yet listed this CVE, the severity and exploitability trend in the wild suggest rapid adoption by threat actors is likely. Patches are available and straightforward to deploy, making this a clear high-priority patching target.

Risk score, explained

The CVSS 3.1 score of 8.3 (HIGH) is driven by: (1) High impact across confidentiality, integrity, and availability—a compromised system can be fully controlled; (2) Network vector reflecting that the malicious HTML can be served remotely; (3) High complexity (AC:H) because the attacker must first compromise the renderer process and convince the user to load the page; (4) No privilege requirement (PR:N) in the renderer context once compromised; (5) User interaction (UI:R) requirement for the final trigger. The score correctly captures the severity of sandbox escape but tempers it with the two-stage attack requirement. In practice, the risk to your organization depends on the likelihood of prior renderer compromise in your environment.

Frequently asked questions

My Chrome updates automatically. Am I protected?

If auto-update is enabled (the default), Chrome should update to 149.0.7827.53 within 24–48 hours of release. However, the update requires a browser restart to take effect. Check Settings > About Chrome to confirm your current version. If it still shows a version prior to 149.0.7827.53, restart Chrome immediately.

Is there a way to detect if this vulnerability has been exploited on my system?

Direct forensic detection is challenging because the exploit leaves minimal on-disk artifacts if the attacker cleans up after execution. Focus on behavioral signs: look for unexpected processes spawned by Chrome, unusual network connections from your system after visiting unknown websites, or EDR alerts for sandbox escape patterns. If you suspect compromise, isolate the machine, image it for forensics, and consult your incident response team.

Does this affect Chromium-based browsers like Edge or Brave?

Microsoft Edge and other Chromium derivatives may be affected depending on their update cadence relative to upstream Chromium fixes. Check the release notes for your browser to confirm the equivalent patch version. Microsoft Edge typically releases updates independently; verify you are running the latest version through your browser's help menu.

What if we cannot patch immediately due to business constraints?

Mitigations are limited without patching. Restrict user access to untrusted websites and external links; monitor outbound network connections from Chrome processes; and disable plugins or extensions that might increase renderer compromise risk. However, these are temporary measures. Patching should remain your top priority within 72 hours. If a delay exceeds one week, escalate to leadership and consider alternative browsers for high-risk user roles until patching is complete.

This analysis is based on publicly available vulnerability data as of the publication and modification dates listed. CVSS scores and severity ratings are drawn from official Chromium and NVD sources and may be updated. No exploit code or proof-of-concept is provided or endorsed. Patch availability and version numbers should be verified against official Google Chrome release notes and your organization's software inventory. This advisory does not constitute a guarantee of protection and should be combined with your organization's risk management, detection, and incident response procedures. SEC.co and its analysts disclaim liability for damages arising from reliance on this information without independent validation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).