CVE-2026-10991: Chrome V8 Use-After-Free Remote Code Execution Vulnerability
Google Chrome contains a use-after-free memory vulnerability in its V8 JavaScript engine that can allow an attacker to run malicious code within Chrome's sandbox. The flaw requires user interaction—specifically, the victim must perform certain UI gestures (like clicking or interacting with specific page elements) while viewing a specially crafted webpage. Once triggered, the vulnerability could allow code execution with the privileges of the Chrome process, potentially compromising the user's browsing session and data. This affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10991 is a use-after-free vulnerability (CWE-416) in Google Chrome's V8 JavaScript engine. Use-after-free flaws occur when a program references memory that has already been freed, allowing attackers to corrupt memory state or redirect execution. In this case, the vulnerability is triggered through a crafted HTML page that manipulates V8's memory management under specific user interaction conditions. The attack succeeds when the user performs targeted UI gestures while the malicious page is active. Exploitation results in arbitrary code execution within Chrome's sandbox environment. Google assigned a "Medium" security severity rating internally, though the CVSS 3.1 score of 8.8 reflects the high impact potential of arbitrary code execution.
Business impact
Organizations should assess their exposure based on Chrome deployment scope. While the sandbox limits direct OS-level compromise, successful exploitation could lead to theft of session cookies, cached credentials, site data, and browsing history. For enterprises where users access sensitive applications through the browser—including SaaS platforms, cloud services, and internal web applications—a compromised browser instance poses material risk. The requirement for user interaction lowers the attack surface compared to fully remote, interaction-free exploits, but social engineering or malicious advertisements could lower the friction of triggering the necessary gestures. Financial services, healthcare, and companies handling regulated data should prioritize patching.
Affected systems
This vulnerability affects Google Chrome on all three major operating systems: Windows, macOS, and Linux. Any Chrome installation running version 149.0.7827.52 or earlier is vulnerable. Organizations should inventory Chrome deployments through their device management systems. Note that the vulnerability affects the browser application itself; the underlying OS vendors (Microsoft, Apple, Linux distributions) are listed in the affected products taxonomy but are not originators of this flaw—only Chrome requires patching to remediate this specific issue.
Exploitability
Exploitation requires two factors: a specially crafted HTML page and user UI gestures. An attacker cannot trigger the vulnerability remotely without user action; the user must actively interact with the page in a specific manner. This could occur through phishing emails directing users to malicious sites, malicious advertisements on legitimate sites, or compromised websites. The low complexity of the attack vector (network-accessible) combined with the requirement for user interaction places this in a realistic but not effortless threat category. No public exploit code or active in-the-wild exploitation has been identified at publication time; KEV status is not assigned, indicating this is not yet tracked as actively exploited in known vulnerabilities databases.
Remediation
Immediate action: Update Google Chrome to version 149.0.7827.53 or later. For managed environments, use your organization's patch management or mobile device management (MDM) system to enforce the update. Chrome's auto-update feature will deploy the patch automatically if enabled; verify that auto-updates are not disabled by group policy or configuration. For macOS and Linux users, ensure that Chrome checks for updates and installs them. Organizations can verify patch deployment by checking installed Chrome versions via browser policy reporting tools or endpoint telemetry.
Patch guidance
Deploy Chrome version 149.0.7827.53 or newer. For Windows organizations using Group Policy, ensure "Update policy override" is set to allow updates. On macOS with MDM, confirm that the Chrome managed preferences allow auto-updates. Linux users should verify that their package manager (apt, yum, snap, etc.) pulls the patched version from the distribution's repositories. Test the patch in a non-production environment first if using a phased rollout. After patching, verify through Chrome's about:help page or your endpoint management console that all systems have reached version 149.0.7827.53 or later. No workarounds exist; patching is the only mitigation.
Detection guidance
Monitor for Chrome crash reports or abnormal termination events, as failed exploitation attempts may trigger sandbox escapes or crashes. Endpoint detection and response (EDR) tools should alert on unusual V8 memory allocation patterns or heap corruption indicators. Web proxy logs may reveal access to known malicious or suspicious domains hosting crafted HTML payloads. Browser telemetry and security event logging can track anomalous script execution or sandbox boundary violations. Organizations using Chrome Enterprise can leverage the Verified Access API and device trust signals to detect compromised browser instances. Consider blocking access from unpatched Chrome versions to sensitive internal web applications through conditional access policies.
Why prioritize this
This vulnerability merits prompt patching despite not yet being tracked as actively exploited. The combination of remote network attack vector, high impact (arbitrary code execution), and low attack complexity—even with the user interaction requirement—creates meaningful risk. The abundance of web-based workflows in modern enterprises means that browsers are prime targets for initial compromise. While the sandbox provides a layer of defense, it is not hermetic; sophisticated attackers routinely chain sandbox escapes with browser exploits. The June 2026 publication date means this vulnerability is recent and newly patched, making early deployment critical before threat actors develop exploitation techniques. Prioritize systems used by high-value targets: executives, developers, security researchers, and employees in sensitive roles.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible attack with low complexity, no required privileges, user interaction, and high impact across confidentiality, integrity, and availability. While the user interaction requirement (UI:R) prevents a perfect 9.8 score, the sandbox execution context and potential for data theft or malware installation justify the elevated score. The Chromium project's internal "Medium" rating is more conservative; the CVSS score better captures the real-world risk in heterogeneous enterprise environments where browsers handle sensitive transactions.
Frequently asked questions
Do I need to patch all Chrome instances, or just those used for sensitive tasks?
All Chrome instances should be patched, even those used for general browsing. While high-value users are primary targets, widespread unpatched Chrome installations become infrastructure for secondary attacks. An attacker compromising a developer's browser could harvest credentials, inject malware, or pivot to internal systems. Patch everything; the update is automatic and low-risk.
Does Chrome's sandbox prevent the attack entirely?
No. The sandbox contains the initial execution, but use-after-free bugs can be chained with sandbox escape techniques. Attackers often use a browser exploit to break out of the sandbox and gain OS-level code execution. The sandbox is a defense layer, not an absolute barrier. Patching is essential.
What should I do if a user visited a suspicious website before patching?
Assume potential compromise if the user performed UI gestures on an untrusted page. Revoke browser cookies and session tokens for sensitive accounts (email, corporate apps, banking). Run a malware scan on the affected device. Check for unauthorized logins to high-value accounts (email, cloud storage, VPN). Consider resetting the user's credentials if they have administrative access.
Does this affect Chrome on mobile?
Yes, use-after-free vulnerabilities in V8 affect Chrome on iOS and Android as well. Mobile Chrome should be updated to the equivalent patched version. Mobile app users are often lower-friction targets for malicious links, so prioritize mobile fleet patching alongside desktop systems.
This analysis is based on the CVE record published on 2026-06-04 and modified on 2026-06-17. Patch versions and affected software versions are sourced directly from the CVE record; verify against the official Google Chrome security advisory and your organization's vulnerability management platform before deployment. This explainer is for informational purposes and does not constitute security advice. Organizations should conduct their own risk assessment and testing. No exploit code or weaponized proof-of-concept details are provided. The CVSS score and severity are based on the official CVSS 3.1 vector; internal vendor severity ratings may vary. This vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance