CVE-2026-10967: Chrome Android SurfaceCapture Use-After-Free Sandbox Escape
A use-after-free flaw exists in Chrome's SurfaceCapture feature on Android that allows an attacker to escape the browser sandbox. The vulnerability requires the attacker to first compromise Chrome's renderer process and then trick a user into visiting a malicious webpage. If successful, the attacker could break out of Chrome's security sandbox and gain elevated privileges on the device. This affects Chrome versions before 149.0.7827.53 on Android.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in SurfaceCapture in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10967 is a use-after-free vulnerability (CWE-416) in the SurfaceCapture component of Chromium's Android implementation. The flaw allows a malicious renderer process to access freed memory through a crafted HTML page, potentially enabling a sandbox escape. The vulnerability sits at the intersection of renderer compromise and memory safety; an attacker must first corrupt or control the renderer context, then leverage the use-after-free to execute arbitrary code with elevated privileges outside the sandbox boundary.
Business impact
A successful exploit could give attackers direct access to Android device resources, including sensitive user data, communications, and system files. For organizations with BYOD policies or employees using Chrome on personal Android devices for work, this represents a pathway to device compromise and lateral movement into corporate networks. The requirement for renderer compromise adds a practical hurdle, but combined with a prior browser vulnerability or social engineering, this becomes a credible multi-stage attack vector.
Affected systems
Google Chrome on Android devices running versions prior to 149.0.7827.53 are affected. Desktop Chrome versions are not impacted by this specific flaw. The vulnerability is specific to the Android implementation of the SurfaceCapture API and does not affect Chrome on iOS, Windows, macOS, or Linux.
Exploitability
The attack has moderate practical exploitability despite its high severity. An attacker must first achieve renderer process compromise—a non-trivial prerequisite typically requiring a separate vulnerability or sophisticated social engineering. However, once renderer control is established, triggering the use-after-free via crafted HTML is relatively straightforward. User interaction (visiting a webpage) is required, making targeted phishing a likely delivery mechanism. The CVSS score of 8.3 reflects the high impact conditional on these preconditions being met.
Remediation
Update Chrome on Android to version 149.0.7827.53 or later. Google has patched the underlying memory safety issue in the SurfaceCapture component. Organizations should prioritize deployment of this update, especially for devices used in sensitive roles or with access to corporate resources.
Patch guidance
Verify the installed Chrome version on Android devices by opening Chrome, navigating to Settings > About Chrome, and confirming the version number is 149.0.7827.53 or higher. Chrome typically auto-updates, but forced updates can be triggered via Google Play Store or organization-wide mobile device management (MDM) policies. For enterprise deployments, push the patched version through your MDM solution and monitor compliance rates. Test the update in a limited environment first if you maintain custom Chrome deployments.
Detection guidance
Detection of active exploitation is challenging without privileged access to the device. Focus on prevention: ensure Chrome auto-updates are enabled and monitor for suspicious app behavior post-update (unusual process spawning, file access, or network connections). Security information and event management (SIEM) systems may detect lateral movement attempts originating from compromised Android devices if network telemetry is available. Intrusion detection systems should look for abnormal Chrome renderer process behavior or attempts to access restricted system APIs following a targeted phishing campaign.
Why prioritize this
Despite not appearing on the KEV catalog, this vulnerability merits high priority due to its severity rating, the expanding attack surface of Android in enterprise environments, and the clarity of the technical exploit path once renderer compromise is achieved. Organizations with Android device populations in sensitive roles should patch immediately. The combination of high impact (C:H, I:H, A:H), remote attack vector, and relative ease of exploitation post-compromise warrants urgent attention in patch management queues.
Risk score, explained
The CVSS 3.1 score of 8.3 reflects a network-accessible, high-impact vulnerability with a high attack complexity (renderer compromise required) and mandatory user interaction (visiting a malicious page). The score escalates from potential but non-immediate exploitability to high urgency due to the scope change (C:S)—a sandbox escape that extends impact beyond the Chrome process itself to the broader Android system and user data.
Frequently asked questions
Do I need to worry about this if I use Chrome on iOS, Windows, or macOS?
No. CVE-2026-10967 is specific to Chrome on Android and does not affect other platforms. If your organization manages Chrome on desktop or iOS, this vulnerability does not require action for those endpoints.
What does 'renderer process compromise' mean, and how likely is it?
The renderer process is Chrome's sandboxed component that executes website code. Compromise typically requires a separate browser vulnerability or sophisticated attack. Lone exploitation via this CVE alone is not possible—an attacker needs an entry point first. Real-world scenarios might chain this vulnerability with another flaw or use social engineering to deploy malware.
Will updating Chrome break any of my apps or workflows?
Chrome updates are generally backward-compatible and rarely disrupt functionality. Testing before mass deployment is always prudent, particularly in highly regulated environments, but widespread issues are uncommon. Most users will not notice a difference.
Is there any mitigation short of patching?
Disable JavaScript if absolutely critical, but this is impractical for normal Chrome use. The best interim mitigation is user awareness training to avoid phishing links, combined with enabling Chrome auto-updates and monitoring for suspicious device behavior. However, patching is the definitive fix and should not be delayed.
This analysis is based on the CVE description and CVSS vector as published. Actual exploitability may vary depending on device configuration, Android version, and the availability of complementary vulnerabilities. Organizations should consult Google's official Chrome security advisories and their own threat landscape before prioritizing patches. This document does not constitute legal advice or a guarantee of security. Test all patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment