HIGH 8.3

CVE-2026-11640: Chrome Integer Overflow Sandbox Escape in libyuv

A mathematical error in Google Chrome's image processing library (libyuv) can be exploited by attackers who have already compromised the browser's sandbox. By crafting a malicious HTML page, they can trigger an integer overflow that potentially breaks out of Chrome's security sandbox entirely, gaining full system access. This requires the attacker to have already penetrated the renderer process first, making it a second-stage attack rather than a direct entry point.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-472
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11640 is an integer overflow vulnerability in libyuv, a color space conversion library used by Google Chrome. The flaw exists in versions prior to 149.0.7827.103 and is classified as CWE-472 (Use of Incompletely Initialized Variable). The vulnerability allows a compromised renderer process to escape the sandbox through a specially crafted HTML page. While the CVSS 3.1 score is 8.3 (HIGH), Chromium rates this as Critical severity due to its potential for sandbox escape—the culmination attack in multi-stage browser exploitation.

Business impact

For organizations relying on Chrome as a primary browser, this vulnerability represents a critical gap in layered defenses. A compromised renderer (via phishing, malvertising, or watering-hole attacks) can escalate to full system compromise, potentially exfiltrating sensitive data, installing persistent malware, or lateral moving within corporate networks. The attack chain requires prior compromise but the sandbox escape eliminates the last containment boundary. Organizations without rapid patching cycles face heightened risk of post-breach privilege escalation.

Affected systems

Google Chrome versions prior to 149.0.7827.103 are vulnerable. The vulnerability also affects host operating systems—Apple macOS, Linux, and Microsoft Windows—since successful exploitation bypasses per-OS sandbox implementations. Any deployment of affected Chrome versions on these platforms is at risk.

Exploitability

Exploitation requires a two-step process: first, the attacker must already have compromised the Chrome renderer process (via a separate browser exploit, XSS, or similar). Second, they deliver the crafted HTML page to trigger the integer overflow. The high complexity (AC:H in the CVSS vector) reflects this prerequisite, but once the renderer is compromised, the HTML delivery is straightforward. User interaction is required (UI:R), typically just visiting a malicious page. The attack does not require network access to the victim's system directly—it works via remote HTML delivery.

Remediation

Update Google Chrome to version 149.0.7827.103 or later immediately. This patch addresses the integer overflow in libyuv. Ensure auto-updates are enabled so users receive patches without manual intervention. No workarounds exist; patching is the only mitigation.

Patch guidance

1. Verify your Chrome version (Menu > Help > About Google Chrome auto-checks for updates). 2. Chrome will auto-update to 149.0.7827.103 or later and prompt restart; accept the update. 3. For enterprise deployments, use Chrome Policy to enforce auto-updates or push the update via your device management solution. 4. Confirm the patch version after restart via the About page. 5. If using Chromium-based browsers (Edge, Brave, etc.), verify those vendors have released equivalent patches and deploy accordingly.

Detection guidance

Endpoint Detection & Response (EDR) tools should monitor for: (1) Unusual child processes spawned by chrome.exe or chromium processes (sandbox escape indicator); (2) Unexpected system calls or kernel-level access initiated from Chrome (privilege elevation); (3) File system modifications or registry changes linked to Chrome process activity post-exploitation. Network detection is difficult since the payload is HTML delivered normally. Focus on post-compromise indicators: unexpected outbound connections, credential access, or process injection from the browser process.

Why prioritize this

Although the vulnerability requires prior renderer compromise (not direct remote code execution), the consequence—sandbox escape leading to full system compromise—is severe. Organizations should prioritize this patch in the same tier as critical RCE vulnerabilities because it completes the attack chain for multi-stage browser exploits that are commonplace in real-world campaigns. The combination of HIGH CVSS, Critical Chromium severity, and the prevalence of renderer exploits in the wild justifies urgent patching.

Risk score, explained

The CVSS 3.1 score of 8.3 reflects: (1) network-reachable attack vector (AV:N); (2) high attack complexity (AC:H) due to the renderer compromise prerequisite; (3) no privileges required beforehand (PR:N); (4) user interaction needed (UI:R, visiting the malicious page); (5) changed scope (S:C, escaping the sandbox boundary); (6) high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately weighs the severity of full system compromise against the multi-stage attack requirement.

Frequently asked questions

Do I need to already have malware on my system for this to matter?

Not exactly. While this specific vulnerability requires the Chrome renderer process to be compromised first, that compromise can happen via a separate browser exploit (a different Chrome vulnerability, for example) that same day. An attacker could chain this integer overflow with another renderer exploit to achieve full system takeover in a single campaign. That's why patching quickly is critical.

Does this affect Chrome on my phone?

Yes, Chrome on Android and iOS uses similar image processing libraries. If your Chrome browser version is prior to 149.0.7827.103, update immediately. Mobile Chrome auto-updates but verify your version in Settings > About Chrome.

Can I just disable JavaScript or block HTML to avoid this?

Disabling JavaScript may reduce some browser attack surface but does not mitigate this specific integer overflow, which occurs during image processing at a low level. The safest approach is patching. If you cannot patch immediately, isolating Chrome to a separate user account or virtual machine, and avoiding untrusted websites, reduces risk.

Why does Chromium call this Critical if the CVSS is only 8.3?

Chromium's severity rating reflects the business impact (sandbox escape) and prevalence of the prerequisite (renderer exploits exist and are used in real attacks). CVSS 8.3 is already HIGH, and the sandbox escape context makes it Critical in practice. The combination of ease-of-delivery (HTML), consequences (full system compromise), and commonality of the attack chain elevates urgency beyond the numeric score.

This analysis is provided for informational purposes to aid security decision-making. The information is derived from public advisory sources and vendor statements current as of the publication date. Readers should verify patch versions, compatibility, and deployment guidance directly with vendor advisories before taking action. No exploit code or proof-of-concept details are provided. Organizations should conduct their own risk assessment based on their specific environment, Chrome deployment scale, and threat landscape. This is not legal advice; consult your security and legal teams for compliance obligations. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).