CVE-2026-11077: Chrome Dawn Graphics Vulnerability – Sandbox Escape Risk
A flaw in the Dawn graphics component of Google Chrome allows attackers to run malicious code within the browser's sandbox by tricking users into visiting a specially crafted website. The vulnerability requires user interaction (clicking a link or visiting a page) but doesn't require any special privileges. Once exploited, an attacker gains the same permissions as the Chrome process, potentially allowing them to steal data or compromise the system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Bad cast in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11077 is a bad cast vulnerability (CWE-125: Out-of-bounds Read) in Dawn, Chrome's WebGPU graphics layer, affecting versions prior to 149.0.7827.53. The flaw permits remote code execution within the browser sandbox via a malicious HTML page. The attack vector is network-based, requires minimal complexity, no authentication, and user interaction—specifically a user viewing the crafted HTML. The exploit succeeds entirely within the renderer sandbox context, limiting immediate system-wide impact but potentially enabling data exfiltration or lateral movement if combined with other vulnerabilities.
Business impact
Organizations relying on Chrome as a primary browser face data theft and credential harvesting risks if employees are lured to malicious sites. The vulnerability's high CVSS score (8.8) and ease of delivery via phishing or compromised advertising networks make it a credible attack vector. For enterprises managing BYOD or unmanaged endpoints, exploitation could lead to corporate network compromise if users access internal systems from infected browsers. Patch delays create a window of exposure during which threat actors can exploit unpatched instances.
Affected systems
Google Chrome on Windows, macOS, and Linux systems running versions below 149.0.7827.53 are directly affected. While the source data lists Apple macOS and Linux kernel separately, the vulnerability's scope is limited to Chrome installations on these platforms, not the operating systems themselves. Users on any affected OS distribution running vulnerable Chrome builds should prioritize patching.
Exploitability
This vulnerability has relatively low exploitation friction: attackers need only host a malicious HTML page and direct users to it via email, ads, or social engineering. No user-level vulnerability chaining is required—a single visit triggers the flaw. The Chromium severity is rated Medium, though the CVSS 8.8 reflects the high impact of arbitrary code execution. Currently, there is no evidence of active exploitation in the wild (KEV status: not listed).
Remediation
Update Google Chrome to version 149.0.7827.53 or later. The update patches the bad cast issue in the Dawn component. Most users on stable channel releases will receive automatic updates, but enterprises should verify deployment via their mobile device management (MDM) or software update systems. Users who cannot update immediately should disable WebGPU features or restrict browsing to trusted sites.
Patch guidance
Google Chrome will auto-update on subsequent browser restart once the patch is available through Google's update servers. Verify successful patching by navigating to chrome://settings/help and confirming the version number is 149.0.7827.53 or higher. For managed deployments, confirm rollout via your MDM console or Chrome Enterprise policies. Linux distributors may provide updates through package managers; check your distribution's security advisory timeline. No workarounds exist beyond updating; temporary mitigations (like disabling WebGPU) may break web applications relying on the API.
Detection guidance
Monitor Chrome processes for unusual memory access patterns or crashes (potential exploitation attempts may cause crashes before sandbox escape). Check browser update compliance across your fleet to identify lagging systems. Web proxies can log attempts to access known malicious domains hosting exploit pages, though the vulnerability itself does not create a specific network signature. Endpoint detection and response (EDR) tools should flag Chrome child processes attempting to access sensitive files or network resources if sandbox escape occurs. Correlate with phishing reports to identify if users visited suspicious sites during the vulnerability window.
Why prioritize this
The 8.8 CVSS score, low attack complexity, and requirement only for user interaction make this a high-priority patch despite the Chromium Medium rating. Remote code execution within the browser—even sandboxed—poses immediate risk for data theft and credential harvesting. The lack of active exploitation (KEV status negative) suggests a narrow patching window before threat actors develop reliable exploits. Organizations should treat this as critical for user-facing systems, especially those handling sensitive data or accessing corporate networks.
Risk score, explained
The CVSS 8.8 (HIGH) reflects the confluence of network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), user interaction needed (UI:R), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). While the sandbox limits scope, code execution in the renderer process allows credential theft, session hijacking, and potential pivot attacks. The discrepancy between Chromium's Medium severity and the CVSS 8.8 may reflect Chromium's stricter bar for RCE severity or different threat modeling; organizations should weight both assessments.
Frequently asked questions
Does this vulnerability affect Chrome on mobile (Android, iOS)?
The source data identifies Windows, macOS, and Linux systems. Chrome on iOS uses Apple's WebKit engine, not Blink, so it is unaffected. Android Chrome runs Chromium; confirm patch availability for your Android version through Google Play or your device manufacturer. Organizations managing mobile devices should verify patch deployment separately.
Can attackers exploit this without user action?
No. The attack requires a user to visit a malicious HTML page, click a link, or interact with an embedded element. Once the page loads in the browser, the vulnerability can trigger automatically, but initial user navigation is necessary.
What is the difference between Chromium's Medium severity and the CVSS 8.8 HIGH rating?
Chromium's severity reflects their internal threat model and mitigation factors (e.g., sandbox limitations). CVSS 8.8 is a standard industry metric assessing intrinsic impact and exploitability without factoring in deployed mitigations. Both are relevant: use CVSS for cross-product risk ranking and Chromium severity for Chrome-specific context.
If our users are behind a web proxy or firewall, are they protected?
Network controls cannot block this vulnerability because the attack vector is a malicious HTML page served over standard web protocols. Proxies can log access to known bad domains but cannot prevent exploitation. Patching Chrome itself is the only effective mitigation.
This analysis is provided for informational purposes to support security decision-making. The vulnerability details, patch versions, and affected products are derived from official vendor advisories and NVD records as of the publication date. Organizations should independently verify patch availability and applicability in their environments. Patch version numbers must be confirmed against the vendor's official security advisory. This document does not constitute legal or compliance advice. Consult your vendor's official documentation and conduct internal testing before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-9910HIGHChrome ANGLE Out-of-Bounds Memory Access – Exploit & Patch Guide
- CVE-2026-9975HIGHChrome ANGLE Sandbox Escape – Out-of-Bounds Memory Vulnerability