CVE-2026-10995: Chrome TabStrip Heap Buffer Overflow (CVSS 8.8)
A heap buffer overflow vulnerability exists in Google Chrome's TabStrip component that could allow an attacker to corrupt memory on a user's system. The attack requires convincing a user to perform specific gestures while viewing a malicious webpage. While Chromium's maintainers classified this as medium severity, the actual impact—potential code execution with high integrity and confidentiality compromise—warrants close attention from security teams.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-122
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Heap buffer overflow in TabStrip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10995 is a CWE-122 heap buffer overflow affecting the TabStrip UI component in Chrome versions prior to 149.0.7827.53. The vulnerability arises from improper bounds checking during user interaction with tab-related UI elements. When a user performs specific gestures on a crafted HTML page, an attacker can write beyond allocated heap memory boundaries, potentially achieving arbitrary code execution in the context of the browser process. The network-accessible, low-complexity attack vector combined with a requirement for user interaction creates a realistic exploitation path.
Business impact
Compromise of Chrome could grant attackers access to browsing history, saved passwords, stored authentication tokens, and data within web applications. In enterprise environments, this could facilitate lateral movement, credential harvesting, or data exfiltration. The requirement for user interaction means social engineering or phishing campaigns could weaponize this vulnerability at scale. Organizations with users relying on Chrome for SaaS applications or sensitive web-based workflows face elevated risk.
Affected systems
Google Chrome prior to version 149.0.7827.53 is affected across all supported platforms (Windows, macOS, Linux). The vulnerability impacts Chrome users who have not applied the patching version or later. Chrome OS systems running vulnerable browser versions are also in scope.
Exploitability
The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates network accessibility with low attack complexity, but exploitation requires user interaction—specifically, convincing a target to perform defined gestures within the tab interface on a malicious page. This is not an unauthenticated, zero-interaction vulnerability. The attacker must craft a webpage that triggers the buffer overflow through specific UI actions, making this practical for targeted phishing or watering hole attacks but not suitable for mass compromise without social engineering.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. For managed environments, administrators can use Chrome update policies to force deployment. Users should enable automatic updates if not already active. Organizations should prioritize patching Chrome on high-risk systems (those used for critical applications or sensitive access) within 2–4 weeks.
Patch guidance
Google Chrome version 149.0.7827.53 and later contain the fix for this vulnerability. Enterprise administrators can verify patch deployment through Chrome management console or by checking chrome://version in the address bar on target machines. Most users receive updates automatically, but manual updates can be triggered via Chrome menu > Settings > About Google Chrome. Verify patch application immediately after update, as Chrome must be fully restarted for the fix to take effect.
Detection guidance
Monitor for crashed Chrome processes, especially those with suspicious memory access patterns in debugging logs. Within browser telemetry, look for TabStrip-related exceptions or segmentation faults before patching. In endpoint detection and response (EDR) tools, flag abnormal Chrome child process behavior or unexpected code execution within the browser sandbox. Network-based detection is limited; focus on ensuring patches are deployed and monitoring user reports of Chrome crashes or unexpected behavior.
Why prioritize this
Although Chromium classified this as medium severity, the CVSS 8.8 score and direct path to heap corruption warrant prioritization. The combination of high confidentiality, integrity, and availability impact makes this a realistic vehicle for credential theft or malware installation. The requirement for user interaction reduces but does not eliminate risk, particularly in phishing-prone environments. Patch within 30 days, sooner for users handling sensitive data or authentication workflows.
Risk score, explained
The CVSS 8.8 (HIGH) reflects the confluence of network accessibility, low attack complexity, and catastrophic impact (confidentiality, integrity, and availability all compromised). The user interaction requirement prevents this from being a 9.0+, but does not substantially lower risk in social-engineering-aware threat landscapes. Organizations with mature security awareness programs and EDR coverage can reduce practical impact, but the vulnerability remains significant enough to mandate prompt patching.
Frequently asked questions
Can this vulnerability be exploited without user action?
No. The vulnerability requires specific user gestures (UI interactions with the tab interface) to trigger the buffer overflow. An attacker cannot exploit it through passive viewing of a webpage alone. However, social engineering or deceptive page design can encourage users to perform the necessary actions.
Is this vulnerability being actively exploited?
As of the vulnerability publication date (June 4, 2026), there is no indication this has been added to the Known Exploited Vulnerabilities (KEV) catalog, suggesting no evidence of in-the-wild exploitation at this time. However, organizations should not assume safety; the low attack complexity and clear exploitation path make it an attractive target for targeted campaigns.
Do I need to patch Chrome if my users only use it for non-sensitive browsing?
Chrome stores sensitive data (passwords, tokens, browsing history) by default, even for 'non-sensitive' sites. Compromised Chrome can facilitate further attacks or credential harvesting. Yes, you should patch all affected instances.
Will updating Chrome disrupt my users' workflow?
Chrome updates typically do not require special user action, though the browser must be fully closed and restarted for patches to take effect. Users may see a restart prompt. Scheduled updates can minimize disruption in managed environments.
This analysis is based on publicly available vulnerability data as of June 2026. Organizations should verify patch availability and deployment guidance against official Google Chrome security advisories before taking action. SEC.co provides this information for informational purposes and does not assume liability for implementation decisions or outcomes. Always test patches in non-production environments before full rollout. CVSS scores and severity classifications may evolve as new information emerges; refer to official CVE entries and vendor advisories for authoritative updates. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0059HIGHAndroid Heap Buffer Overflow in SDP Discovery – Remote Code Execution
- CVE-2026-0100HIGHAndroid Heap Buffer Overflow Local Privilege Escalation
- CVE-2026-10929HIGHChrome Android Heap Buffer Overflow & Sandbox Escape Vulnerability
- CVE-2026-10946HIGHChrome Heap Buffer Overflow in Media Processing—Patch Guidance
- CVE-2026-10949HIGHChrome Heap Overflow Sandbox Escape Vulnerability
- CVE-2026-10989HIGHChrome V8 Heap Corruption – Patch to 149.0.7827.53
- CVE-2026-10993MEDIUMChrome Skia Heap Buffer Overflow Allows Memory Information Disclosure
- CVE-2026-20452HIGHMediaTek WLAN Driver Heap Buffer Overflow (CVSS 8.0)