CVE-2026-10947: Chrome WebRTC Use-After-Free Remote Code Execution
A use-after-free bug in Google Chrome's WebRTC implementation allows attackers to execute arbitrary code within the browser's sandbox by serving a specially crafted webpage. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction—the victim must visit a malicious page—but once triggered, it grants an attacker near-complete control over the isolated browser process. This is a memory safety issue where freed memory is incorrectly accessed, a common source of high-impact browser exploits.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10947 is a use-after-free (CWE-416) vulnerability in the WebRTC subsystem of Chromium-based browsers. The flaw permits a remote, unauthenticated attacker to achieve arbitrary code execution within the browser's sandbox by delivering a crafted HTML payload. The CVSS 3.1 score of 8.8 (High) reflects the network-accessible attack vector, low complexity, no privilege requirement, and requirement for user interaction, combined with high impact across confidentiality, integrity, and availability. Although sandboxed, successful exploitation could enable theft of browser-stored credentials, session hijacking, or lateral movement if combined with additional sandbox escapes.
Business impact
Organizations relying on Chrome for business workflows face data exfiltration risk if employees visit compromised or attacker-controlled websites. The attack requires no phishing sophistication—a malicious ad, compromised website, or watering-hole attack suffices. If browser credentials store corporate SSO tokens or sensitive files, the impact extends beyond the sandbox. Remote workforce environments with looser security postures face higher risk. The vulnerability does not require administrative rights or local access, making it a broadly applicable threat.
Affected systems
The vulnerability impacts Google Chrome prior to version 149.0.7827.53. Because the underlying vulnerability resides in Chromium (the open-source browser engine), derivative products including some Chromium-based distributions on macOS, Linux, and Windows are potentially affected. Users should verify patch availability for their specific browser and OS combination; Chrome auto-updates on most systems, but manual verification is prudent for critical deployments.
Exploitability
The attack is practical: it requires only that a user visit a malicious webpage, making it exploitable at scale via compromised websites, malvertising, or phishing. No advanced social engineering is necessary. However, it is not a zero-click attack—the user must interact with a page (though minimal interaction may suffice). The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting either recent disclosure or limited observed exploitation, but the high CVSS score and straightforward attack chain indicate rapid weaponization is plausible.
Remediation
Immediate action: update Google Chrome to version 149.0.7827.53 or later. Chrome's automatic update mechanism typically deploys fixes within hours of release on most platforms. For managed environments, force an update check or use MDM policies to enforce the patch. Verify the update completion via Chrome's about:version page. On Linux systems running Chromium from distribution repositories, check with your package manager for available updates. For derivative Chromium browsers, consult vendor advisories to confirm patched versions.
Patch guidance
Google Chrome should auto-update to 149.0.7827.53 or later on Windows, macOS, and most Linux distributions. To manually verify: open Chrome, navigate to Menu > Help > About Google Chrome, and observe the version number. If you see 149.0.7827.53 or higher, the patch is installed. If a lower version is displayed, Chrome will typically download and apply the update automatically; restart your browser to complete installation. For enterprise deployments using Windows Group Policy or Chromebook MDM, ensure your update policies are not delaying patch delivery. On Linux, use your package manager (apt, yum, pacman, etc.) to check for available updates to Chromium or Chrome.
Detection guidance
Detection is challenging post-exploitation but possible via behavioral indicators: monitor for unusual Chrome process spawning, unexpected network connections from Chrome, or browser crashes followed by process restarts. Endpoint Detection & Response (EDR) tools can track memory corruption patterns, though WebRTC-specific signals are subtle. Network-level detection is limited because the attack traffic is delivered via HTTP(S) to legitimate-looking pages. The most reliable control is preventive: ensure all Chrome instances are patched to 149.0.7827.53 or later. If you operate a Security Operations Center (SOC), flag any unpatched Chrome instances and prioritize their remediation.
Why prioritize this
Prioritize this as high-urgency: CVSS 8.8, no user privilege requirement, network-accessible, and WebRTC is commonly enabled by default. The use-after-free class of bugs in browser engines has a strong track record of rapid weaponization and in-the-wild exploitation. Although sandboxed, successful exploitation undermines browser isolation and can leak sensitive data. Organizations with remote workforces or BYOD policies should move this to the top of the patch queue. The lack of KEV status does not diminish risk—it may indicate the vulnerability is too recent for active exploitation to be publicly confirmed yet.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: (1) network-accessible attack surface (AV:N), (2) low attack complexity—no exploit-specific prerequisites (AC:L), (3) no privilege escalation required (PR:N), (4) user interaction needed—the victim must navigate to a malicious page (UI:R), (5) sandbox scope limiting lateral impact (S:U), and (6) high impact on confidentiality (C:H), integrity (I:H), and availability (A:H) within the sandbox context. The score appropriately captures the severity: this is a critical browser vulnerability that demands immediate patching.
Frequently asked questions
Does this vulnerability affect me if I don't use Chrome?
Only if you use a Chromium-based browser (Microsoft Edge, Brave, Opera, Vivaldi, etc.) on a version that has not yet received a backported patch. Firefox and Safari users are not affected by this specific WebRTC bug. Always verify your browser's official security advisory or version history to confirm patch status.
Is the sandbox escape guaranteed if I visit a malicious page?
No. A successful exploit requires the attacker to craft the HTML and JavaScript very precisely to trigger the use-after-free condition. Many malicious pages may fail to exploit the bug reliably. However, the barrier to entry remains low, and skilled attackers can reliably weaponize this class of vulnerability. The sandbox itself, if unbroken, still mitigates some damage, but your browser session data remains at risk.
Can I disable WebRTC to avoid this risk?
Disabling WebRTC entirely may break legitimate video/audio conferencing features in web apps. A more practical approach is to update Chrome immediately to version 149.0.7827.53 or later. Disabling WebRTC is a defense-in-depth option if you operate a high-security environment and can tolerate reduced functionality, but it should not replace patching.
Will my Chrome auto-update handle this automatically?
In most cases, yes. Chrome's default behavior is to auto-update and prompt for restart. However, in some enterprise or locked-down configurations, updates may be delayed or paused by policy. Verify your version by typing about:version in the address bar. If you see a version lower than 149.0.7827.53, manually trigger an update check via Menu > Help > About Google Chrome or consult your IT team.
This analysis is provided for informational and educational purposes to help security professionals understand and mitigate vulnerability risk. SEC.co makes no warranty regarding the completeness or accuracy of third-party vulnerability data or vendor patch availability. Organizations must independently verify patch versions, compatibility, and deployment readiness before applying security updates. Exploitation scenarios and detection guidance are illustrative and may not cover all attack variations or environmental factors. Always consult official vendor advisories and security bulletins for authoritative patch information and compatibility matrices. This document does not constitute legal, compliance, or professional security advice; engage qualified security professionals for deployment decisions in regulated environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance