HIGH 8.8

CVE-2026-10965: Chrome DevTools Integer Overflow Remote Code Execution

A vulnerability in Google Chrome's DevTools allows attackers to execute malicious code within Chrome's sandbox by tricking users into visiting a specially crafted webpage. The flaw stems from an integer overflow—a coding error where a number exceeds its maximum value—that can be exploited without requiring special browser settings or elevated permissions. Chrome versions before 149.0.7827.53 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-472
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Integer overflow in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10965 is an integer overflow vulnerability (CWE-472) residing in the DevTools component of Chromium. The vulnerability permits remote arbitrary code execution within the renderer sandbox via a crafted HTML page. The attack vector is network-based with low complexity; user interaction (visiting a malicious page) is required. The integrity of the sandboxing mechanism is not circumvented, but code execution within the confined environment still represents a significant security gap. Google rated this Chromium security severity as High.

Business impact

Successful exploitation could allow attackers to steal sensitive data processed within the browser, inject malicious content, or use compromised browser processes as a foothold for lateral movement within a network. Organizations relying on Chrome for accessing web-based applications or sensitive services face elevated risk of credential theft and data exfiltration. The need for user interaction reduces but does not eliminate the threat—social engineering or malicious advertisement networks can reliably deliver the exploit payload.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are directly affected. The vulnerability impacts Chrome deployments across Windows, macOS, and Linux environments. Users on any of these operating systems running vulnerable Chrome versions require immediate patching.

Exploitability

Exploitation requires only network access and user interaction—a user must visit a crafted webpage. No authentication, special browser configuration, or local access is necessary. The low attack complexity and absence of preconditions make this vulnerability relatively straightforward to exploit. However, the requirement for user interaction (clicking a link, visiting a site) provides a limited window for defense through user awareness and network-level controls.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. The patch is available through Chrome's automatic update mechanism; users should verify their version in Chrome Settings > About Chrome and confirm the update has applied. Organizations managing Chrome deployments should verify patch installation across their fleet before considering this vulnerability remediated.

Patch guidance

Chrome typically auto-updates; however, verify the update has completed by navigating to chrome://settings/help and confirming version 149.0.7827.53 or higher is installed. For enterprise deployments, verify Chrome update policies are enforced and that managed devices have received the patch. Some organizations may need to manually trigger updates or use mobile device management (MDM) tools to ensure coverage. After patching, restart the browser to ensure the new version is active.

Detection guidance

Monitor Chrome version inventory across your organization to identify instances running versions prior to 149.0.7827.53. Endpoint detection and response (EDR) tools should monitor for unusual DevTools subprocess creation or unexpected code execution within chrome.exe/chromium processes. Network-based detection is challenging since the exploit is delivered via standard HTTPS traffic; focus detection efforts on post-exploitation indicators such as credential access, process injection attempts, or data exfiltration. User reports of unexpected browser behavior or crashes in DevTools may indicate exploitation attempts.

Why prioritize this

Despite not being tracked in the Known Exploited Vulnerabilities (KEV) catalog, the combination of high CVSS score (8.8), remote exploitability, low attack complexity, and ubiquitous Chrome deployment warrants immediate prioritization. The requirement for user interaction is the primary limiting factor; however, attackers routinely achieve this through social engineering. Organizations should treat this as a critical patch priority given Chrome's central role in web access and data handling.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: network-based attack vector requiring only user interaction, low attack complexity, and high impact to confidentiality, integrity, and availability within the sandbox context. The score does not account for potential sandbox escape vectors or the prevalence of Chrome in enterprise environments, both of which could elevate real-world risk. The absence of KEV status indicates active exploitation has not yet been reported to CISA, but this does not imply the vulnerability is less serious—it may simply reflect early discovery or limited attacker visibility.

Frequently asked questions

If an attacker executes code in Chrome's sandbox, can they break out and compromise my entire system?

The sandbox is designed to contain the attacker's code, preventing direct system compromise. However, sandbox escape vulnerabilities do exist and are often chained with other flaws. Additionally, code running in the sandbox can steal sensitive data (passwords, authentication tokens, personal information) from pages you visit, which is itself a serious breach. Defense-in-depth practices—keeping the OS patched, limiting admin privileges, and using endpoint protection—help mitigate sandbox escape risk.

Does Chrome auto-update, or do I need to manually patch?

Chrome is configured to auto-update by default on most systems. However, automatic updates do not always apply immediately, and the browser must be restarted for the new version to take effect. Check chrome://settings/help to verify your current version and force an update if needed. Enterprise users should consult their IT team, as organizational policies may control update timing.

Is this vulnerability currently being exploited in the wild?

As of the published date, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, suggesting it is not yet actively weaponized at scale. However, the absence of public exploit code or reported attacks does not guarantee safety—threat actors often exploit vulnerabilities before disclosure becomes widespread. Patching promptly remains essential.

What should I advise users if they cannot patch immediately?

Avoid visiting untrusted websites, do not click links from unknown sources, and disable browser extensions from untrusted publishers. However, these mitigations are not foolproof; user vigilance alone cannot prevent all attack vectors, particularly if adversaries use reputable sites for malvertising. Patching is the definitive remediation and should be prioritized within days, not weeks.

This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. The information herein reflects publicly available data as of the published and modified dates and does not constitute legal advice or guarantee of exploit availability or active threat status. Organizations should verify patch availability and compatibility in their environment before deployment. For the most current information, consult Google's official Chrome security advisories and your organization's vulnerability management policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).