HIGH 8.3

CVE-2026-11655: Chrome macOS Sandbox Escape via Integer Overflow

A mathematical error in how Google Chrome handles media files on macOS allows an attacker to escape the browser's sandbox if they've already compromised Chrome's rendering engine. The vulnerability exists in versions before 149.0.7827.103 and requires a specially crafted webpage to trigger. Once exploited, an attacker could move from the restricted sandbox environment to full system access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-472
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Integer overflow in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11655 is an integer overflow vulnerability (CWE-472) in Chrome's media processing subsystem on macOS. The flaw occurs prior to version 149.0.7827.103 and enables a post-compromise sandbox escape. The vulnerability requires an attacker to first control the renderer process—typically through a separate code execution bug—then deliver a malicious HTML page that triggers the integer overflow during media parsing. Successful exploitation breaks Chrome's sandbox isolation, granting access to system resources normally protected by the sandbox boundary.

Business impact

While this vulnerability requires a prior renderer compromise, successful exploitation eliminates a critical last line of defense in Chrome's multi-layer security model. For organizations where employees use Chrome on macOS, a successful attack chain could lead to credential theft, lateral network movement, or system takeover. The sandbox escape transforms a contained browser compromise into a full device compromise, significantly expanding attacker capabilities and potential organizational impact.

Affected systems

Google Chrome on macOS systems running versions prior to 149.0.7827.103 are vulnerable. Apple macOS is listed as an affected platform, though the vulnerability is specific to Chrome's media handling rather than macOS itself. Users running Chrome 149.0.7827.103 or later on any supported macOS version are not affected by this particular issue.

Exploitability

Exploitation requires two conditions: (1) the attacker must first compromise Chrome's renderer process through a separate vulnerability or technique, and (2) the victim must then visit or be directed to a malicious webpage containing the crafted HTML. While the CVSS score of 8.3 reflects high severity, the practical exploitability is constrained by the need for prior renderer access. This is a sandbox escape rather than an entry-point vulnerability, making it a secondary stage in a multi-stage attack. No public exploit code or KEV designation currently exists for this vulnerability.

Remediation

Update Google Chrome to version 149.0.7827.103 or later on all macOS systems. Chrome's auto-update mechanism will typically handle this, but verification is recommended for organizational deployments. Organizations managing Chrome through centralized policies should verify the update deployment across their macOS fleet. No workarounds exist short of disabling Chrome or running on non-macOS platforms.

Patch guidance

Chrome users should ensure automatic updates are enabled in Chrome Settings > About > Google Chrome, which will update to 149.0.7827.103 automatically and prompt for restart. Enterprise administrators should verify deployment of version 149.0.7827.103 or later through their Mobile Device Management (MDM) solution or Chrome Enterprise policies. After patching, no further action is required. The patch addresses the integer overflow directly without requiring configuration changes.

Detection guidance

Look for Chrome crash logs or system logs indicating media processing failures on macOS systems prior to version 149.0.7827.103, which may indicate exploitation attempts. Monitor for suspicious process spawning from Chrome or chrome helper processes, as successful sandbox escape may be followed by process creation outside the sandbox. Endpoint detection systems should flag unexpected child processes spawned by Chrome or its renderer processes. Network detection is difficult since exploitation relies on client-side rendering of malicious HTML; focus detection efforts on post-exploitation indicators such as unexpected system calls or process creation chains.

Why prioritize this

Despite the 8.3 CVSS score, prioritization should account for the attack prerequisite. Organizations should prioritize this alongside other Chrome vulnerabilities to maintain a strong sandbox boundary, but this is not an immediate entry-point risk. For macOS environments where Chrome is widely deployed, patching should occur within standard security update cycles (typically 1-2 weeks). If other active Chrome vulnerabilities are being exploited in your threat environment, prioritization should move to 3-5 days to close the chain that could enable sandbox escape.

Risk score, explained

The CVSS 3.1 score of 8.3 (HIGH) reflects: network attack vector (AV:N) since exploitation occurs via webpage delivery, high complexity (AC:H) due to the need for prior renderer compromise and specific conditions to trigger the overflow, no privilege requirement (PR:N), user interaction required (UI:R) to visit the malicious page, and changed scope (S:C) with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The high score appropriately emphasizes the severity of a successful sandbox escape, though the prerequisite renderer compromise is reflected in the attack complexity factor.

Frequently asked questions

Does this vulnerability affect Chrome on Windows or Linux?

No, CVE-2026-11655 is specific to Chrome on macOS. The integer overflow exists in macOS-specific media handling code. Windows and Linux users are not affected by this particular vulnerability, though they may be vulnerable to other Chrome security issues.

Can this be exploited by simply visiting a malicious website?

No. The vulnerability requires prior compromise of Chrome's renderer process. Visiting a malicious website alone is insufficient. An attacker must first breach Chrome through another vulnerability or method, then deliver the crafted HTML to trigger the sandbox escape. This is a secondary-stage attack, not an entry-point vulnerability.

What happens if I'm still on an older version of Chrome?

If you're running Chrome prior to 149.0.7827.103 on macOS, you are vulnerable to this sandbox escape if your renderer process is compromised. You should update immediately through Chrome Settings > About > Google Chrome, which will prompt an automatic update and restart.

Is there a workaround if I cannot update Chrome immediately?

There are no reliable workarounds. Disabling JavaScript or restricting website access reduces attack surface but does not eliminate the risk. The safest interim measure is to avoid high-risk browsing activities and consider using alternative browsers until the update is available and deployed.

This analysis is based on the official CVE record and vendor information current as of the publication date. No public exploit code or active exploitation has been confirmed. Vulnerability details and patch information should be verified against the official Google Chrome Security Release page and Apple security advisories before deployment. Organizations should test patches in non-production environments before enterprise rollout. This vulnerability requires prior renderer process compromise and is not an immediate entry-point risk for uncompromised systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).