HIGH 8.3

CVE-2026-10927: Chrome Sandbox Escape via Dawn Out-of-Bounds Read

A memory reading flaw in Google Chrome's graphics component (Dawn) prior to version 149.0.7827.53 allows attackers who have already compromised the browser's renderer process to escape the sandbox through a specially crafted webpage. This is a two-stage attack: first an attacker must find a way into the renderer, then this vulnerability allows them to break out entirely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-125
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Out of bounds read in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10927 is an out-of-bounds read vulnerability in the Dawn graphics abstraction layer used by Chrome. The flaw resides in how Chrome handles memory access within the renderer process. When processing a malicious HTML page, the out-of-bounds read can be leveraged to leak sensitive memory or construct a gadget chain that defeats the renderer sandbox. The vulnerability is classified CWE-125 (out-of-bounds read) and requires the attacker to already have code execution within the renderer context—a prerequisite that significantly constrains the attack surface.

Business impact

While the vulnerability itself requires renderer compromise first, successful exploitation enables full sandbox escape, elevating the attacker from limited renderer privileges to system-level access. This could lead to credential theft, malware installation, persistent access, or lateral movement into corporate networks. For enterprises, the risk is compounded if users visit malicious sites while already exposed to a separate renderer exploit, or if attackers chain multiple Chrome flaws in coordinated campaigns.

Affected systems

Google Chrome version 149.0.7827.53 and earlier on all platforms is affected. The vulnerability also impacts Chrome on macOS, Windows, and Linux systems. Users of Chromium-based browsers built on similar versions of the graphics stack may also be vulnerable; verify your browser's Chromium commit hash against the upstream fix.

Exploitability

Exploitation requires two prerequisites: (1) a prior compromise of the Chrome renderer process, and (2) delivery of a crafted HTML page to the compromised browser. The attack vector is network-based but the attacker access level (renderer) and the requirement for user interaction lower the standalone exploitability. The CVSS 3.1 score of 8.3 (HIGH) reflects the severe impact once chained with a renderer exploit, though the practical attack chain remains complex.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome's auto-update mechanism should deploy the patch, but verify completion in chrome://settings/help. For managed environments, push this update with high priority using your mobile device management (MDM) or endpoint management tools. No workaround exists; patching is the only mitigation.

Patch guidance

Google Chrome will automatically prompt for an update; users should accept and restart the browser. Enterprise administrators should verify deployment through Chrome's update policies (policies.google.com). If you maintain a Chromium fork or derivative browser, backport the memory access fix from the upstream Chromium repository commit that addresses CWE-125 in the Dawn component. Test the patch in a non-production environment first, particularly if you use Chrome extensions or custom configurations.

Detection guidance

Monitor for Chrome process anomalies or segmentation faults following the update to ensure successful patch installation. In endpoint detection and response (EDR) systems, look for suspicious renderer-to-system transitions or unusual memory access patterns. Log Chrome crashes related to the graphics subsystem and cross-correlate with HTML rendering events. Network detection is of limited value since the attack requires prior renderer compromise; focus on post-compromise behavior such as elevated process spawning or file system access.

Why prioritize this

This vulnerability merits urgent priority despite requiring renderer compromise first, because (1) it enables complete sandbox escape if chained with another Chrome exploit, (2) ransomware and APT campaigns increasingly use multi-stage Chrome attacks, (3) it affects billions of Chrome users, and (4) the patch is non-disruptive. Organizations using Chrome in high-risk environments (customer-facing, threat-exposed staff, BYOD) should prioritize this within 7 days. Standard enterprise deployments should aim for 14-30 days.

Risk score, explained

The CVSS 3.1 score of 8.3 reflects a HIGH severity driven by the high impact (confidentiality, integrity, and availability all compromised via sandbox escape) and the network attack vector. The score is tempered by the high complexity (requires renderer compromise and user interaction) and unauthenticated access. The score appropriately signals urgency for enterprises, though real-world risk depends on the likelihood of successful renderer exploitation and delivery of the malicious HTML payload in the wild.

Frequently asked questions

Does this vulnerability affect Chrome on mobile devices?

Yes. Chrome on iOS, Android, and ChromeOS all use the same Dawn graphics component. iOS users receive updates through the App Store; Android users through Google Play. Verify your Chrome version is 149.0.7827.53 or later on all platforms.

Can an attacker exploit this through a normal website visit without another Chrome exploit?

No. This vulnerability requires the attacker to already have code execution in the Chrome renderer process. A normal website visit alone cannot trigger exploitation. However, if an attacker has chained this with another renderer vulnerability or delivery method, the sandbox escape becomes feasible.

What should we do in an environment where auto-update is disabled?

Manually trigger Chrome updates or deploy version 149.0.7827.53 or later through your endpoint management system. If you manage a large fleet, coordinate with your IT operations team to schedule updates, prioritizing high-risk user populations (developers, security researchers, executives) first.

Is this vulnerability exploited in the wild yet?

As of the publication date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, absence from KEV does not guarantee absence from targeted attacks. Monitor security advisories and your EDR platforms for any indicators of attempted exploitation.

This analysis is based on the official CVE record and Chromium security advisory as of June 2026. Real-world risk varies by environment, user behavior, and threat landscape. Organizations should conduct their own risk assessment. Verify all patch versions and deployment steps against official Google Chrome and Chromium release notes. This explainer does not constitute security advice and should be reviewed by your security team before operational decisions. No exploit code or proof-of-concept details are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).