HIGH 8.3

CVE-2026-10929: Chrome Android Heap Buffer Overflow & Sandbox Escape Vulnerability

A memory safety flaw in ANGLE (the graphics abstraction layer used by Chrome) allows an attacker who has already compromised Chrome's sandboxed renderer process to escape that sandbox and gain full system access on Android devices. The attacker must trick a user into visiting a malicious webpage. This affects Chrome versions prior to 149.0.7827.53 on Android.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Heap buffer overflow in ANGLE in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10929 is a heap buffer overflow in ANGLE, the cross-platform graphics abstraction layer integrated into Chromium. The vulnerability exists in Chrome on Android versions before 149.0.7827.53. The flaw requires two preconditions: (1) the attacker must first compromise the renderer process, which runs in a sandbox, and (2) the user must visit a malicious HTML page. The heap overflow occurs in memory managed by the graphics subsystem, allowing out-of-bounds writes that can corrupt heap metadata and adjacent objects. By carefully crafting graphics operations via HTML canvas or WebGL, an attacker can leverage this overflow to break out of the renderer sandbox and execute arbitrary code with the privileges of the Chrome process. Chromium rated this High severity.

Business impact

For organizations deploying Android devices with Chrome, this vulnerability creates a two-stage attack chain: initial renderer compromise (via separate vulnerability or social engineering) followed by sandbox escape. Successful exploitation grants an attacker the ability to read sensitive data, modify system settings, install malware, or pivot to other apps and services on the device. The requirement for an already-compromised renderer narrows the immediate attack surface, but organizations relying on Chrome as a primary mobile browser should treat this as a sandbox-escape risk factor when assessing overall Android security posture. Remediation is straightforward via patching.

Affected systems

Google Chrome on Android devices running versions prior to 149.0.7827.53 are affected. Desktop and iOS versions of Chrome are not affected by this specific flaw. The vulnerability does not affect Google Android itself as a platform; rather, it affects the Chrome application running on Android. All Android-based devices with vulnerable Chrome installations—including phones, tablets, and Chromebooks—are in scope if they meet the version threshold.

Exploitability

Exploitation requires two conditions, reducing the immediate risk. First, an attacker must compromise the Chrome renderer process itself, which typically requires a separate vulnerability (e.g., in JavaScript engine, DOM parsing, or media codecs). Second, the user must visit a website controlled by or compromised by the attacker. Once the renderer is compromised, the attacker can craft a malicious HTML page embedding graphics operations (canvas, WebGL) that trigger the heap overflow and achieve sandbox escape. The CVSS vector (AC:H, PR:N, UI:R) reflects the high attack complexity and user interaction requirement. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code is known at this time.

Remediation

Update Chrome on Android to version 149.0.7827.53 or later. This is a straightforward patch release. Users can enable automatic updates in Chrome settings, or manually check Settings > About Chrome to trigger an update check. Organizations managing Android devices should prioritize rolling out this update to all affected devices. Given the sandbox-escape nature, this should be treated as a high-priority patch for any organization where Android devices run Chrome and store or access sensitive data.

Patch guidance

Google has released Chrome 149.0.7827.53 and later with a fix for this heap buffer overflow. The patch hardens the heap allocator, adds bounds checking to the affected ANGLE code path, and validates buffer operations in graphics rendering. Verify your current Chrome version via Settings > About Chrome, which will also trigger auto-update if enabled. For managed Android deployments (via MDM or enterprise enrollment), use your mobile device management solution to enforce the minimum version requirement. Rollout timeline: update immediately for high-risk devices (those handling payment data, healthcare information, or credentials); complete rollout within 30 days for standard deployments.

Detection guidance

Monitor Chrome version inventory across your Android fleet using MDM reporting. Flag devices running Chrome versions below 149.0.7827.53. If you have SIEM integration, look for renderer process crashes or GPU driver anomalies that might indicate exploitation attempts, though these are not distinctive signatures for this specific flaw. Network detection is limited because the malicious HTML is delivered over standard web traffic; focus on keeping inventory current rather than trying to detect exploitation after the fact. Some organizations may log graphics API errors or memory protection violations at the OS level, but these would require Android security logging to be enabled.

Why prioritize this

Although CVSS 8.3 is high and the vulnerability enables sandbox escape, the two-stage exploitation requirement (prior renderer compromise + user interaction) limits immediate risk. Prioritization depends on organizational context: if your Android fleet frequently accesses untrusted websites or includes high-value targets, elevate this to immediate action. For locked-down corporate deployments or devices with restricted web access, schedule patching within your standard high-priority cycle (30 days). The sandbox-escape nature justifies urgent treatment relative to typical high-severity bugs, because a second-stage attacker gains unrestricted device access.

Risk score, explained

The CVSS 8.3 score reflects: (1) network attack vector (readily accessible), (2) high attack complexity (requires prior renderer compromise and careful heap manipulation), (3) no privileges required for initial contact, (4) user interaction required (visiting a malicious page), (5) changed scope (sandbox escape affects system confidentiality, integrity, and availability). The High severity designation is appropriate because a successful exploit grants unrestricted code execution at the Chrome process privilege level, enabling complete compromise of device data and services accessible to that process. The score is not Critical because exploitation is not trivial and requires a preceding vulnerability or significant social engineering.

Frequently asked questions

Do I need to patch desktop Chrome or Chrome on iOS?

No. This vulnerability affects only Chrome on Android. Desktop and iOS versions use different graphics subsystems and are not vulnerable to this particular heap buffer overflow in ANGLE.

What happens if a user visits a malicious page before updating?

Visiting the page alone does not cause exploitation. The attacker must first compromise the renderer process using a separate vulnerability (such as a JavaScript engine flaw or media parser bug). Only after the renderer is compromised can they weaponize this heap overflow to escape the sandbox. If no prior compromise exists, the malicious page will have no effect.

Is this vulnerability currently being exploited?

No. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploits have been disclosed. However, organizations should still patch promptly because the sandbox-escape capability makes it valuable to sophisticated attackers.

Can I detect if my device has been exploited?

Not reliably without forensic investigation. Successful exploitation would typically be followed by installation of additional malware or unauthorized data exfiltration. Enable Chrome synchronization and account security alerts to catch suspicious activity. For managed devices, use MDM reporting to detect anomalous behavior or unexpected apps. Most important: ensure your device is patched promptly to prevent exploitation in the first place.

This analysis is provided for informational purposes and represents SEC.co's professional assessment based on available vendor data and threat intelligence as of the publication date. The information herein does not constitute legal advice, professional security recommendations for your specific organization, or a guarantee of accuracy. Readers should verify all patch versions, affected product lists, and vendor advisories against official Google Chrome security releases before taking action. Security assessments and remediation timelines should be customized to your organization's risk profile, asset criticality, and operational constraints. SEC.co does not guarantee the completeness or applicability of this information for any particular deployment. Always consult your security team and vendor resources before implementing changes in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).