CVE-2026-11660: Google Chrome New Tab Page Sandbox Escape (CVSS 8.3)
A vulnerability in Google Chrome's New Tab Page feature allows an attacker who has already compromised Chrome's renderer process to escape the browser sandbox using a specially crafted HTML page. This is a critical privilege escalation risk because sandbox escapes can lead to full system compromise. The vulnerability affects Chrome versions before 149.0.7827.103 across Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11660 stems from insufficient input validation in the New Tab Page component of Chromium. An attacker must first compromise the renderer process—typically through a prior vulnerability in web content parsing or script execution. Once inside the sandbox, the attacker can exploit the validation weakness via a crafted HTML page to break out and gain system-level privileges. The vulnerability is classified as CWE-20 (Improper Input Validation) and carries a CVSS 3.1 score of 8.3 (High severity) with a complex attack vector (AC:H) but high impact across confidentiality, integrity, and availability.
Business impact
Sandbox escape vulnerabilities represent an existential threat to the security model of modern browsers. Successful exploitation allows an attacker to transition from web-based code execution to arbitrary system commands, potentially enabling data theft, malware installation, lateral movement to other systems, or complete device takeover. Organizations relying on browser isolation as a security control may find that protection layer neutralized. The requirement for prior renderer compromise limits immediate risk but does not eliminate it, as renderer vulnerabilities are regularly discovered.
Affected systems
Google Chrome versions prior to 149.0.7827.103 running on Windows, macOS, or Linux are affected. This includes all three major operating systems, making it a widespread concern. Users running Chrome 149.0.7827.103 or later are not vulnerable to this specific issue.
Exploitability
Exploitation requires two stages: first, the attacker must compromise the renderer process (typically via a separate vulnerability or social engineering), and second, they must serve a crafted HTML page to trigger the New Tab Page validation flaw. This two-stage requirement (AC:H) reduces opportunistic attack feasibility. However, because many renderer vulnerabilities are known or will be discovered, and because the New Tab Page is a frequently-visited surface, the overall risk remains substantial. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but that does not indicate absence of active exploitation.
Remediation
Update Google Chrome to version 149.0.7827.103 or later. Chrome's auto-update mechanism will push this patch to most users, but organizations with managed deployments should verify rollout and enforce minimum version requirements. Verify the update has been applied by navigating to chrome://settings/help, which will display the current version and check for updates.
Patch guidance
Users: Enable automatic updates if not already active (Chrome default). Verify the running version is 149.0.7827.103 or higher via chrome://version. Organizations: Test patch compatibility in a non-production environment before enterprise rollout. Configure update policies to enforce minimum version 149.0.7827.103. Monitor for any reported issues in the deployed version and maintain a patch rollback plan. Prioritize this update given the High severity and sandbox escape risk.
Detection guidance
Monitor Chrome version inventory across your organization using endpoint management tools (MDM/EMM) or browser telemetry. Log and alert on attempts to access the New Tab Page with unusual or malformed HTML payloads if your network inspection tools support it. Endpoint detection systems should flag any Chrome process spawning unusual child processes or making unexpected system calls after New Tab Page rendering, which may indicate sandbox escape attempts. Review browser crash logs for instability in the New Tab Page rendering engine post-patch to confirm stability.
Why prioritize this
Sandbox escapes are among the most critical browser vulnerabilities because they nullify the primary security isolation mechanism of modern browsers. A successful exploit can lead to full system compromise. Although exploitation requires prior renderer compromise, the combination of a known attack surface (New Tab Page) and High severity warrants immediate patching. The absence from CISA KEV does not reduce urgency; it reflects current intelligence rather than absence of risk. Organizations should treat this as a mandatory patch within 1–2 weeks depending on their update cadence.
Risk score, explained
The CVSS 3.1 score of 8.3 reflects High severity due to the confluence of factors: High impact across all three security properties (confidentiality, integrity, availability), no authentication required, and user interaction needed (clicking or viewing a malicious page). The score is not Critical (9.0+) because exploitation requires prior compromise of the renderer process, which reduces the attack surface compared to direct remote code execution. However, the score appropriately emphasizes that the impact of successful exploitation—sandbox escape leading to system compromise—is severe.
Frequently asked questions
Do I need to do anything if auto-update is enabled?
No manual action is required if Chrome auto-update is enabled. Chrome will download and apply version 149.0.7827.103 automatically, typically within 24–48 hours. You may see a prompt to relaunch Chrome to complete the update. If you want to verify the update sooner, open chrome://settings/help and check the current version.
What does 'renderer process compromise' mean, and how likely is it?
The renderer process is the component of Chrome that parses web content and executes scripts. It is isolated in a sandbox by design. Compromise typically occurs through another vulnerability in web content parsing, JavaScript execution, or a browser extension. While renderer vulnerabilities are discovered regularly, they are not trivial for attackers to find or exploit reliably. The two-stage requirement makes this vulnerability less critical than a direct remote code execution flaw, but it remains serious.
Is this vulnerability currently being exploited in the wild?
The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. This does not guarantee there is no active exploitation; it reflects the current intelligence. Organizations should patch proactively rather than wait for confirmation of active exploitation, particularly given the High severity rating.
If I am behind a web proxy or firewall, does that protect me?
No. Network-layer controls cannot prevent this vulnerability because the attack vector is a crafted HTML page served to the browser. Once the page is rendered (whether from an internal or external source), the vulnerability can be triggered. The protection must be applied at the browser itself through the patch.
This analysis is provided for informational purposes to assist security teams in vulnerability management and risk prioritization. The information is derived from official CVE records and vendor disclosures. Organizations must independently verify all patch versions, compatibility, and deployment readiness within their environments. Patch testing should occur before enterprise rollout. SEC.co does not provide legal or compliance advice; consult your compliance and legal teams regarding regulatory reporting obligations for security incidents. This analysis does not constitute a guarantee of security and should be considered one component of a comprehensive vulnerability management program. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw
- CVE-2026-11046HIGHChrome Media Sandbox Escape – Patch Now to Version 149.0.7827.53