CVE-2026-10942: Google Chrome Windows Privilege Escalation Vulnerability
Google Chrome on Windows contains a UI implementation flaw that allows a local attacker to escalate privileges by opening a malicious file. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction (opening a file) but no authentication. If exploited, an attacker could gain elevated system privileges on an affected machine.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in UI in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10942 is a privilege escalation vulnerability in Google Chrome's UI layer on Windows systems. The flaw stems from improper input validation (CWE-20: Improper Input Validation) in the user interface implementation. An unauthenticated local attacker can trigger the vulnerability by crafting a malicious file that, when opened or accessed by a user through Chrome, bypasses normal privilege boundaries. The vulnerability was assigned Chromium security severity 'High' and carries a CVSS 3.1 score of 7.8 (High), reflecting the combination of local attack surface, user interaction requirement, and full compromise potential (confidentiality, integrity, and availability impact).
Business impact
Successful exploitation could allow attackers who have local system access to escalate to higher privilege levels, potentially enabling full system compromise including data exfiltration, malware installation, and lateral movement within corporate networks. For organizations where users have local file system access and encounter untrusted files, this represents a path to admin-level control. The requirement for local access and user interaction limits blast radius compared to remote exploits, but the impact per compromised machine is severe.
Affected systems
Google Chrome versions prior to 149.0.7827.53 running on Microsoft Windows are affected. The vulnerability does not impact Chrome on other operating systems (Linux, macOS) or other browsers. Systems where users operate with standard privileges and receive file downloads from external sources face elevated risk.
Exploitability
Exploitation requires three conditions: (1) Chrome to be installed and in use on a Windows system, (2) the attacker to have created a malicious file and delivered it to a user, and (3) the user to open that file in Chrome or interact with it in a way that triggers the UI flaw. The attack is not wormable or remotely triggerable without user action. No public exploit code has been indexed in CISA's KEV catalog, though this does not rule out private exploitation. The requirement for user interaction and local system access significantly reduces immediate organizational exposure compared to remote code execution vulnerabilities.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome typically auto-updates; verify that automatic updates are enabled in your environment. For managed deployments, use enterprise deployment tools or group policy to push the update. Confirm successful patching by checking Chrome's version in Settings > About Chrome, which will display the current build number and auto-update status.
Patch guidance
Apply the Chrome update to version 149.0.7827.53 or any subsequent release. For Windows enterprise environments, leverage Google's enterprise deployment resources or partner configuration management platforms (SCCM, Intune, etc.) to distribute the patch. Test in a pilot group before full deployment to ensure no compatibility issues with line-of-business applications that embed or interact with Chrome. Verify patch application across all machines running affected Chrome versions, including shared workstations and developer machines.
Detection guidance
Monitor for Chrome update installation success and version compliance via endpoint detection and response (EDR) tools or software inventory systems. Flag systems running Chrome versions below 149.0.7827.53. Watch for suspicious file access or execution patterns where non-privileged processes spawn child processes with elevated tokens, which may indicate privilege escalation attempts. Correlate file open events with Chrome process activity, particularly for files from unusual sources or with suspicious extensions. Behavioral analytics can detect post-exploitation lateral movement or credential access following a privilege escalation.
Why prioritize this
Although CVE-2026-10942 carries a High CVSS score and impacts privilege escalation, it is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting limited active weaponization at the time of publication. However, the straightforward attack vector (local + user interaction) and severe impact (full privilege escalation) mean this should be remediated within standard patch windows for Chrome. Prioritize systems where users frequently receive external files or where high-value users operate.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects a High-severity vulnerability: local attack vector (AV:L), low attack complexity (AC:L), no privilege requirement (PR:N), and required user interaction (UI:R) combine with full impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of privilege escalation, though the need for user interaction and local access prevents a Critical rating. The vulnerability's absence from the KEV catalog does not lower the intrinsic severity but does suggest it is not currently prioritized by attackers as a mass-exploitation vehicle.
Frequently asked questions
Does this vulnerability allow remote attackers to compromise Windows machines running Chrome?
No. The vulnerability requires local system access and user interaction. A remote attacker would need to first gain a foothold on the target machine or trick a user into opening a malicious file, at which point local privilege escalation becomes possible. It is not a remote code execution vulnerability.
If Chrome auto-updates are enabled, am I automatically protected?
Likely yes, but verify. Chrome's auto-update feature should install version 149.0.7827.53 or later automatically. However, if updates are disabled, throttled, or if a machine is offline during the update window, it may remain unpatched. Check Settings > About Chrome to confirm your current version.
Do I need to update Chrome on non-Windows systems?
No. This vulnerability affects only Google Chrome on Microsoft Windows. Chrome on macOS, Linux, and ChromeOS is not affected by CVE-2026-10942, though users should always keep their browsers updated for defense-in-depth.
What should I do if a user reports opening a suspicious file with Chrome?
Immediately verify the user's system Chrome version and ensure it is updated to 149.0.7827.53 or later. Review recent file open events and process execution logs for signs of privilege escalation or unexpected elevated-privilege child processes. If suspicious activity is detected, initiate your incident response protocol, including credential reset for affected users and analysis for lateral movement or persistence mechanisms.
This analysis is provided for informational purposes to support cybersecurity decision-making. The vulnerability details, CVSS score, and affected versions are based on official sources including the NVD and Chromium security advisories published as of the analysis date. Patch version numbers and availability should be verified against Google's official Chrome release notes and security advisories before deployment. Organizations are responsible for testing patches in their environments before production rollout. This is not legal advice; consult your organization's security and legal teams regarding vulnerability response obligations and timelines. SECurity intelligence is current as of the provided publication and modification dates; always reference the latest vendor advisories for the most up-to-date guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10968HIGHChrome Cross-Origin Data Leak in Dawn Graphics Engine (CVSS 7.4)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw