CVE-2026-10935: Chrome V8 Type Confusion Remote Code Execution (CVSS 8.8)
A type confusion vulnerability in Google Chrome's V8 JavaScript engine allows attackers to execute arbitrary code within the browser's sandbox by tricking users into visiting a malicious website. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction (clicking a link or visiting a page). While the code executes within the sandbox, successful exploitation could allow attackers to read, modify, or delete user data accessible to the browser.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-843
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10935 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine used by Google Chrome. Type confusion occurs when an attacker manipulates how the engine interprets data types, allowing arbitrary code execution within the browser sandbox. The vulnerability is triggered via a specially crafted HTML page delivered to the victim. Attack complexity is low, requiring only network access and user interaction. The vulnerability affects all platforms where Chrome runs, including Windows, macOS, and Linux-based systems. Google has assigned this a High severity rating within the Chromium security framework.
Business impact
For organizations, this vulnerability creates risk across any environment where users browse the web with affected Chrome versions. While sandboxed execution limits direct system compromise, successful exploitation could lead to theft of sensitive data (credentials, intellectual property, personal information), session hijacking, or lateral movement if combined with other vulnerabilities. Remote workforce and BYOD environments are particularly exposed if Chrome auto-update is disabled or delayed. Incident response teams should assume that any user visiting untrusted websites during the vulnerability window could be compromised.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable on all supported platforms: Windows, macOS, and Linux. The vulnerability exists in the V8 engine, which is also embedded in other Chromium-based browsers (Edge, Opera, Brave, etc.), though this CVE specifically references Chrome. Organizations should verify whether other Chromium derivatives in use are similarly affected by checking vendor advisories. The vulnerability does not directly affect the Linux kernel or macOS/Windows operating systems themselves, but rather the browser application running on those platforms.
Exploitability
Exploitability is moderate to high in real-world conditions. The attack requires user interaction (visiting a malicious webpage), which attackers can achieve through phishing, malicious advertisements, or compromised websites. Attack complexity is low; no special privileges, authentication, or user-side configuration is required beyond the browser visiting the attacker's page. The vulnerability is not known to be actively exploited in the wild as of the modification date, and it has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. However, type confusion bugs are well-understood attack primitives, and proof-of-concept development is feasible for motivated attackers.
Remediation
Users and administrators must update Google Chrome to version 149.0.7827.53 or later. Chrome typically auto-updates, but administrators should verify deployment in managed environments. For organizations running older Chrome versions, immediate patching is recommended given the high CVSS score and user-facing attack surface. Additionally, organizations should enforce Chrome auto-update policies and educate users to avoid untrusted websites and email links. Browser isolation or sandbox technologies may provide defense-in-depth but should not substitute for patching.
Patch guidance
Update Chrome to 149.0.7827.53 or later via Settings > About Chrome (auto-update) or manual download from google.com/chrome. For enterprise environments, use Google Admin Console or your mobile device management (MDM) platform to push updates across managed devices. Verify the update has taken effect by checking chrome://version. Consider scheduling mandatory updates during maintenance windows to minimize user disruption. For devices unable to auto-update, manual intervention or policy enforcement is required; document any exceptions.
Detection guidance
Network detection: Monitor for HTTP requests to known malicious domains hosting Chrome exploits; anomalous JavaScript payloads sent to browsers; unusual post-exploitation lateral movement or data exfiltration. Endpoint detection: Log Chrome process crashes or abnormal child process spawning (sandbox escapes); monitor for suspicious scripts in user profiles or temp folders. Behavioral detection: Alert on users accessing high-risk external websites or clicking suspicious links followed by Chrome crashes or unusual network activity. Log Chrome version via endpoint inventory to identify unpatched systems. Check browser extensions and installed applications for signs of post-exploitation persistence.
Why prioritize this
This vulnerability merits immediate prioritization due to high CVSS score (8.8), high confidentiality/integrity/authentication impact, low attack complexity, and widespread deployment of Chrome. The attack surface is large—any user browsing the web is a potential victim. While sandboxed execution provides some mitigation, successful exploitation can compromise sensitive user data and create entry points for further attacks. The lack of current public exploitation does not reduce urgency; proactive patching prevents future campaigns targeting this flaw.
Risk score, explained
CVSS 3.1 score of 8.8 reflects a HIGH severity vulnerability with high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). Attack vector is network (AV:N), attack complexity is low (AC:L), no privileges required (PR:N), and user interaction is required (UI:R). Scope is unchanged (S:U), meaning the vulnerability is confined to the affected component. The score appropriately reflects the real-world danger: widespread exposure, easy exploitation, and significant potential harm to users.
Frequently asked questions
Does this vulnerability affect browsers other than Chrome?
CVE-2026-10935 is specific to Google Chrome's V8 engine. However, other Chromium-based browsers (Microsoft Edge, Brave, Opera) embed the same V8 engine and may be similarly vulnerable depending on their version and how quickly vendors backport fixes. Check your browser vendor's security advisory or version number to confirm patch status.
Is my data safe in Chrome's sandbox if I'm exploited?
Chrome's sandbox limits damage by restricting the exploit's access to the browser process and its data (cookies, site data, credentials). However, this is not absolute protection—attackers can still steal browsing data, session tokens, or credentials entered into websites. Combined with other vulnerabilities, sandbox escape is possible. Patching remains the primary defense.
What should I do if I visited a suspicious website before updating?
If you believe you visited a malicious site, immediately update Chrome and change passwords for sensitive accounts (email, banking, corporate). Monitor accounts for suspicious activity (unauthorized logins, data access). Check your Chrome extensions for unauthorized additions. Consider using a password manager to audit stored credentials. For corporate users, notify your IT security team so they can monitor your accounts for compromise indicators.
Is this vulnerability actively being exploited?
As of the vulnerability modification date (June 17, 2026), there is no evidence of active exploitation in the wild, and it has not been added to CISA's Known Exploited Vulnerabilities list. However, do not rely on this as justification to delay patching—attackers actively develop exploits for high-profile browser vulnerabilities, especially after public disclosure. Assume exploitation could begin at any time.
This analysis is provided for educational and operational security purposes. The information reflects publicly available data and Chromium security advisory details as of the modification date. Verify all patch versions, affected product lists, and vendor guidance directly with official sources before deployment. SEC.co does not guarantee the accuracy of third-party vendor information or timelines for security updates. Organizations should conduct internal risk assessments and testing before implementing mitigations. No warranty is provided regarding the completeness or suitability of this guidance for specific environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10022HIGHChrome V8 Type Confusion Vulnerability in Extensions
- CVE-2026-10910HIGHType Confusion in Chrome V8 Engine – Arbitrary Code Execution
- CVE-2026-10936HIGHType Confusion in Chrome V8 Engine – Remote Code Execution
- CVE-2026-10962HIGHType Confusion in Chrome Media Handling – Code Execution Risk
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution