HIGH 8.3

CVE-2026-10953: Chrome Android Sandbox Escape Vulnerability – CVSS 8.3

A use-after-free vulnerability exists in Google Chrome for Android versions prior to 149.0.7827.53. An attacker who has already compromised Chrome's renderer process can exploit this flaw by crafting a malicious HTML page to break out of the browser sandbox and gain system-level access to the Android device. This is a post-compromise escalation risk rather than a direct entry point, but it significantly amplifies the impact of any renderer exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Core in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10953 is a use-after-free memory corruption flaw (CWE-416) in the Core component of Chrome for Android. The vulnerability allows a sandboxed renderer process attacker to craft HTML that triggers unsafe memory access, bypassing the sandbox isolation layer. The attack requires user interaction (opening or viewing the malicious page) and an already-compromised renderer context, making it a secondary exploitation vector. The Chromium project assigned High severity to this issue due to its potential for sandbox escape and full system compromise.

Business impact

A successful exploitation chain combining a renderer vulnerability with this sandbox escape creates a critical risk: an attacker gains unauthenticated remote code execution at the Android system level, potentially leading to theft of credentials, contacts, financial data, and private communications. For organizations managing Android devices with Chrome as the primary browser—particularly those handling sensitive data or accessing enterprise systems—this amplifies the urgency of prompt patching. Unpatched devices remain vulnerable to multi-stage attacks that first compromise the renderer, then escape the sandbox.

Affected systems

Google Chrome for Android versions before 149.0.7827.53 are vulnerable. Desktop and iOS versions of Chrome are not affected by this particular flaw. Android devices running affected Chrome builds are at risk; the vulnerability has no bearing on Chrome-based browsers on other platforms or non-Chromium Android browsers unless they share the affected Core code.

Exploitability

Exploitation requires two preconditions: the renderer process must already be compromised (typically via a separate renderer vulnerability), and the user must interact with a crafted HTML page. This two-stage requirement reduces immediate risk from random web browsing, but in targeted campaigns or when combined with other Chrome flaws, the attack surface becomes material. The High CVSS score (8.3) reflects the severe consequences (full sandbox escape) despite the elevated attack complexity. No public exploit is currently known, and the vulnerability has not entered CISA's KEV catalog.

Remediation

Update Chrome for Android to version 149.0.7827.53 or later as soon as possible. Organizations managing Android fleet devices should enforce automated or mandatory updates via Mobile Device Management (MDM) policies. Users should enable automatic updates in Chrome settings and verify their current version in Chrome Settings > About Chrome. No workarounds mitigate the vulnerability short of upgrading.

Patch guidance

Verify that your deployed Chrome version matches or exceeds 149.0.7827.53 by reviewing user device inventories or MDM console reports. Prioritize devices in high-risk roles (those accessing financial systems, email, or classified data). If your organization uses Chrome policies, set the CrashReportingEnabled and AutoUpdateCheckPeriod policies to ensure timely patching. Test the update in a controlled environment first if you manage a large heterogeneous fleet, though this vulnerability alone does not warrant extended testing delays.

Detection guidance

Monitor Android device logs for Chrome crashes or unexpected process terminations, which may signal exploitation attempts. If you operate a SIEM, correlate Chrome version data from MDM or endpoint management tools with this CVE identifier to identify unpatched devices. Behavioral detection is difficult without full system intrusion indicators, since the exploit assumes the renderer is already compromised; focus on preventing the initial renderer breach through content security policies and regular patching of other Chrome flaws.

Why prioritize this

Although this vulnerability requires pre-compromise of the renderer process, it represents a critical capability: sandbox escape. In an environment where multiple Chrome vulnerabilities are discovered in close succession, or where adversaries are known to chain exploits, this becomes a high-priority patch. Even without active KEV listing, the combination of High severity, full system compromise potential, and the prevalence of Chrome on Android devices makes it a top-tier remediation candidate for security teams managing mobile infrastructure.

Risk score, explained

The CVSS 3.1 score of 8.3 reflects High severity due to: (1) High impact across confidentiality, integrity, and availability; (2) Network attack vector requiring user interaction; (3) Elevated attack complexity due to the need for an already-compromised renderer. The score appropriately captures the severe consequences (sandbox escape leading to system compromise) while accounting for the prerequisite of renderer compromise, making this a secondary but critical escalation vector in multi-stage attack chains.

Frequently asked questions

Do I need to patch this immediately if I haven't had any Chrome compromises?

Yes. While exploitation requires a compromised renderer, the risk of that renderer being compromised is non-zero. Patching removes the secondary escalation path and reduces your overall attack surface. If other Chrome vulnerabilities are discovered, leaving this unpatched increases your exposure significantly.

Does this affect Chrome on Windows, macOS, or iOS?

No. This vulnerability is specific to Chrome on Android due to its reliance on Android-specific sandbox mechanisms. Desktop and iOS versions are unaffected, though both platforms should remain up-to-date for other security reasons.

What if my organization doesn't allow automatic updates?

Establish a change control process to evaluate and deploy Chrome updates on a weekly or bi-weekly cadence. For High and Critical severity issues like this, consider expedited approval windows (24–48 hours). MDM solutions can also be configured to enforce updates during maintenance windows, reducing business disruption.

Can I detect if this vulnerability has been exploited on my devices?

Direct detection is challenging because the attack assumes the renderer is already compromised. Focus on detecting the initial renderer compromise through app sandboxing violations, unusual network activity, and system-level intrusions. Post-exploitation forensics would show unexpected system-level process activity or unauthorized data access, but these are difficult to attribute to this specific CVE without detailed logging.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Always verify patch availability and compatibility with your specific environment before deploying updates. Exploitation requires a pre-compromised renderer process; this is not a direct remote code execution vector from unauthenticated browsing. Organizations should consult their vendor advisories and security teams before making patching decisions. SEC.co assumes no liability for damages resulting from reliance on this information or failure to apply patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).