CVE-2026-11154: Chrome Dawn Use-After-Free Sandbox Escape Vulnerability
A use-after-free flaw in Google Chrome's Dawn graphics component allows an attacker who has already compromised the renderer process to break out of Chrome's sandbox and potentially gain system-level access. The vulnerability requires the attacker to trick a user into opening a malicious webpage and demands prior compromise of the renderer process, making it a two-stage attack. Patching to Chrome 149.0.7827.53 or later closes this gap.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11154 is a use-after-free vulnerability (CWE-416) in the Dawn graphics subsystem of Google Chrome. The flaw enables a remote attacker operating within a compromised renderer process to craft a malicious HTML page that triggers memory safety violations. When processed, this can escape the browser's sandbox isolation, potentially allowing arbitrary code execution with the privileges of the user running Chrome. The Chromium project rated this Medium severity internally, but the assigned CVSS 3.1 score of 7.5 (HIGH) reflects the sandbox escape impact and requirement for user interaction combined with prior renderer compromise.
Business impact
Successful exploitation could result in complete system compromise following a two-stage attack: first gaining renderer process access (via existing RCE or other means), then leveraging this vulnerability to bypass sandboxing and execute code outside the browser context. For organizations where users browse untrusted content or receive targeted phishing with weaponized HTML, this represents a path to lateral movement, credential theft, and data exfiltration at the OS level. Delayed patching increases the window of exposure if this vulnerability is discovered in active exploits.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are directly affected. The vulnerability's runtime behavior depends on the underlying operating system (Windows, macOS, or Linux), though the flaw itself is platform-agnostic at the Chrome/Dawn level. Any user running unpatched Chrome on supported operating systems is at risk if they encounter malicious content.
Exploitability
Exploitation requires two prerequisites: (1) prior compromise of the renderer process, and (2) user interaction to open a crafted HTML page. The renderer compromise barrier is significant—it typically requires a separate vulnerability or social engineering—but once achieved, the sandbox escape is triggered by HTML content, which is relatively easy to deliver. The use-after-free pattern is well-studied in browser security, though specific exploitation details depend on memory layout and mitigation bypass techniques. Without KEV inclusion or public proof-of-concept reports, opportunistic mass exploitation is less likely, but targeted campaigns against high-value targets could feasibly weaponize this.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome auto-updates by default on most platforms, but users should verify they are on the latest stable release. Organizations can enforce updates via Chrome management policies (Admin Console, GPO, or device enrollment). Verify patch deployment across endpoints and monitor for any lingering unpatched instances in user-managed devices or legacy systems.
Patch guidance
Verify that your Chrome installation has updated to 149.0.7827.53 or later by checking Settings > About Google Chrome. The browser will automatically check for and install updates, restarting on next launch. For managed deployments, review your Chrome enterprise policies to ensure auto-updates are enabled and test on a small cohort before broad rollout. Organizations using Chromebook deployments should note that updates are handled by your cloud enrollment domain; verify your device management console reports current Chrome versions.
Detection guidance
Monitor for use-after-free crash reports or core dumps mentioning the Dawn graphics subsystem, particularly those triggered by HTML content. Endpoint detection and response (EDR) tools can alert on Chrome process memory access violations or sandbox boundary crossings. Network-level detection is limited, as the malicious content is HTML; consider monitoring inbound phishing and social engineering campaigns that might deliver such payloads. Internal logs of Chrome version compliance help identify remaining unpatched instances.
Why prioritize this
Although this vulnerability requires prior renderer compromise, the sandbox escape capability elevates risk significantly. A successful exploit could grant an attacker OS-level access, enabling persistence, lateral movement, and data theft beyond what a confined renderer process permits. The HIGH CVSS score (7.5) reflects the severity of sandbox bypass; however, lack of KEV inclusion and absence of public exploits mean this is not yet an imminent mass-exploitation threat. Prioritize patching for users in high-risk roles (finance, government, legal) and organizations facing advanced threats, while scheduling standard deployments for broader user bases.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) is derived from network attack vector, high confidentiality/integrity/availability impact, and user interaction requirement, offset slightly by the requirement that the renderer process be pre-compromised (reflected in the AC:H complexity modifier). This score appropriately weighs the severe consequence (sandbox escape) against the multiple conditions needed to reach exploitability. The gap between Chromium's internal Medium rating and the CVSS HIGH score reflects the context-dependent nature of risk: within a browser component lifecycle, Medium is reasonable; from a system security perspective, sandbox escape is HIGH impact.
Frequently asked questions
Does this affect Chrome on my phone or tablet?
Yes, Chrome on Android and iOS is also vulnerable if running versions prior to 149.0.7827.53. Mobile Chrome updates are typically handled through your device's app store or automatic update mechanism. Check your Chrome version in Settings > About Chrome and ensure you have the latest release.
Can I be attacked just by visiting a normal website?
Not from this vulnerability alone. An attacker would first need to have already compromised your Chrome renderer process through a separate attack (such as another browser vulnerability). Once that's done, they could then serve malicious HTML to trigger the sandbox escape. Normal web browsing is safe unless you've been targeted by an active, multi-stage attack.
What should I do if I'm not sure my Chrome is updated?
Open Chrome, click the menu (three vertical dots), go to Help > About Google Chrome. If an update is available, Chrome will automatically download and install it. You may be prompted to restart the browser. Verify the version shown is 149.0.7827.53 or higher.
Is there a workaround if I can't update immediately?
Limiting browsing to trusted websites and avoiding suspicious links or attachments reduces your exposure, though it does not eliminate the risk if a compromise has already occurred. The most secure approach is to apply the patch as soon as possible. If immediate patching is impossible, consider restricting Chrome usage to non-sensitive browsing or using an alternative browser until you can update.
This analysis is based on publicly disclosed information as of the publication date. CVSS scores, affected product versions, and patch details are sourced from official vendor advisories and CVE records. Exploitation requires pre-existing renderer process compromise; this is not a one-click attack vector. SEC.co does not provide exploit code or weaponization details. Patch availability and deployment timelines vary by organization; verify current versions against vendor advisories. This content is for informational purposes and should not be considered legal advice or a substitute for professional security assessment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance