HIGH 8.8

CVE-2026-10954: Chrome Use-After-Free in Actor Component Allows Sandbox Code Execution

A use-after-free memory safety bug in Google Chrome's Actor component allows attackers to run malicious code within the browser's sandbox by tricking users into visiting a specially crafted web page. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction—specifically clicking a link or visiting a malicious site—but no special privileges. Once triggered, an attacker gains the ability to read, modify, or delete data and potentially escape the sandbox to affect the underlying operating system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10954 is a use-after-free vulnerability (CWE-416) in the Actor component of Chromium-based browsers. The flaw arises when memory is freed but subsequently accessed without proper validation, allowing an attacker to corrupt heap state or execute arbitrary code. The vulnerability is triggered via a maliciously crafted HTML page delivered over the network. While the initial exploitation occurs within Chrome's sandbox—limiting direct OS access—the high CVSS score (8.8) reflects the severity of code execution within that privileged context. The attack vector is network-based, requires only user interaction, and has low attack complexity.

Business impact

Compromised Chrome users face data exfiltration risks, including theft of credentials, session tokens, and sensitive information stored in browser memory or accessible to Chrome processes. In enterprise environments where Chrome is the primary browser, widespread exploitation could lead to lateral movement, credential harvesting, and secondary attacks on internal systems. Additionally, sandbox escape techniques could extend impact to the host operating system, potentially enabling further malware installation or persistence.

Affected systems

Google Chrome prior to version 149.0.7827.53 is the primary affected product. The vulnerability also affects Chrome on Apple macOS, Linux systems running the Linux kernel, and Microsoft Windows. Any system running a vulnerable Chrome version is at risk if users are tricked into visiting malicious web pages. Chromium-based browsers and derivatives may also be affected depending on their patch status and release cycle.

Exploitability

The vulnerability has a low barrier to exploitation from an attacker's perspective: no special privileges are required, the attack surface is broad (any web page), and attack complexity is low. However, successful exploitation requires user interaction—the victim must visit a malicious site or open a crafted link. Given the ubiquity of Chrome and the ease of phishing or drive-by downloads, this constraint is not a significant limitation in practice. The vulnerability is not currently listed in the CISA KEV catalog, indicating no evidence of active in-the-wild exploitation at publication time, but that status can change rapidly.

Remediation

Users and administrators must update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically deploys patches within days, but forced updates may be necessary in enterprise environments. On macOS, Linux, and Windows, verify that Chrome has been upgraded through Settings > About Google Chrome. For managed deployments, use platform-specific update policies to enforce the patch. No workarounds are available; patching is the only mitigation.

Patch guidance

Apply Chrome version 149.0.7827.53 or any later release as soon as possible. Most users will receive the patch automatically; verify installation by checking Settings > About Google Chrome, which should display the new version number and confirm an up-to-date status. In enterprise settings, administrators can use Chrome policies or mobile device management (MDM) solutions to enforce updates across managed devices. Prioritize patching for high-risk users (those handling sensitive data) and regularly connected systems; offline or air-gapped systems pose lower immediate risk but should still be patched within a defined maintenance window.

Detection guidance

Monitor Chrome version inventory across your infrastructure using endpoint detection and response (EDR) tools, mobile device management solutions, or asset management platforms. Alert on any machines running Chrome versions below 149.0.7827.53. Additionally, configure web proxies or next-generation firewalls to flag suspicious HTML patterns or pages known to trigger this flaw (if threat intelligence becomes available). Monitor for unusual child process spawning from Chrome or unexpected sandbox escape attempts. Behavioral analytics may detect credential theft or data exfiltration following a successful exploitation event.

Why prioritize this

Despite the lack of active in-the-wild exploitation (no KEV listing), this vulnerability merits urgent attention due to its high CVSS score (8.8), code execution capability, and low attack complexity. Chrome's massive user base and the ease of delivering a malicious web page make this a likely target for threat actors once reliable exploits are developed or shared. The window between patch release and widespread exploitation is typically narrow for browser vulnerabilities, making rapid deployment critical.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and user interaction (UI:R). High impact ratings for confidentiality, integrity, and availability (C:H/I:H/A:H) reflect the potential for arbitrary code execution within the browser. The sandbox restriction prevents an automatic CRITICAL rating, but the ease of exploitation and breadth of exposure justify the HIGH classification. Organizations should treat this as an urgent patch priority.

Frequently asked questions

Can this vulnerability be exploited on non-Chrome Chromium browsers like Edge or Brave?

Potentially, yes. The vulnerability exists in the underlying Chromium engine used by Chrome, Edge, Brave, and other Chromium-based browsers. However, patch availability and release timing vary by vendor. Verify your browser vendor's security advisories for specific affected versions and apply patches accordingly.

Is it safe to continue using Chrome if I don't visit untrusted websites?

While limiting risky browsing behavior reduces exposure, it is not a reliable defense. Malicious content can be embedded in legitimate-looking pages, delivered via supply chain compromises, or disguised through social engineering. Relying solely on user behavior is insufficient; patching is essential.

What is the difference between a use-after-free vulnerability and a buffer overflow?

Both are memory safety bugs, but they differ mechanistically. A use-after-free occurs when code accesses memory that has already been deallocated, potentially allowing an attacker to control the contents of that freed memory. A buffer overflow occurs when code writes beyond the boundary of an allocated buffer. Both can lead to code execution, but the exploitation techniques and mitigations differ.

If this vulnerability is not in the KEV catalog, why should we prioritize it highly?

The KEV catalog tracks vulnerabilities with confirmed active exploitation. This vulnerability was recently published and not yet exploited in the wild at the time of listing, but that status is not permanent. Browser vulnerabilities are frequent targets for exploit development. Waiting for evidence of active exploitation before patching is a reactive and risky strategy; proactive patching within days of release is the security best practice.

This analysis is provided for informational purposes and is based on publicly available vulnerability disclosures as of the publication date. SEC.co does not warrant the accuracy or completeness of this information. Patch version numbers, affected software versions, and vendor advisories should be verified against official vendor documentation before deployment. Organizations should conduct their own risk assessment and testing in non-production environments prior to applying patches. Security classifications and exploit timelines may change as new information becomes available. This explainer does not constitute professional security advice; consult with qualified cybersecurity professionals for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).