CVE-2026-11677: Chrome Sandbox Escape via macOS Network Process Race Condition
A race condition vulnerability in Google Chrome's network process on macOS allows an attacker who has already compromised the browser's network process to escape the sandbox and potentially gain system-level access. The vulnerability requires the attacker to craft a malicious HTML page and trick a user into viewing it, but the underlying network process compromise is the critical prerequisite. This is a privilege escalation vector rather than a primary infection method.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-362
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Race in Network in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the network process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11677 is a race condition (CWE-362) in the network handling component of Google Chrome on macOS. The vulnerability exists in versions prior to 149.0.7827.103. The race condition allows an already-compromised network process to exploit a timing window during HTML page processing, enabling sandbox escape. The attack surface is limited to users on macOS systems; the vulnerability does not affect Chrome on Windows or Linux. Successful exploitation grants the attacker the same privileges as the user running Chrome, potentially allowing access to system resources protected by the sandbox boundary.
Business impact
Organizations with macOS-based workforces face elevated risk if Chrome is the primary browser. A sandbox escape could enable lateral movement from a compromised browser process to user files, credentials, and potentially system-level access. The practical impact depends on your network's ability to prevent initial network process compromise—if your environment has strong isolation and monitoring, the attack chain is harder to complete. However, this vulnerability is particularly concerning in scenarios where users browse untrusted content or where multi-stage attacks are expected. Patching is essential to close this escalation vector.
Affected systems
Google Chrome versions prior to 149.0.7827.103 on macOS are affected. The vulnerability is specific to the macOS platform and does not impact Chrome on Windows, Linux, Android, or iOS. Any macOS user running an unpatched version of Chrome is at risk if their network process is compromised. Organizations should verify Chrome version numbers across their macOS fleet.
Exploitability
Exploitation requires two conditions: (1) the network process must already be compromised by an attacker, and (2) the user must visit a crafted HTML page while the compromise is active. This is not a wormable vulnerability and requires user interaction. The CVSS score of 8.3 (High) reflects the severity of the sandbox escape outcome, but the practical exploitability is constrained by the need for prior network process compromise. This vulnerability is not tracked as a Known Exploited Vulnerability (KEV) by CISA.
Remediation
Update Google Chrome to version 149.0.7827.103 or later on all macOS systems. Verify the update through Chrome's Settings > About Chrome menu, which will display the current version and automatically check for updates. No workarounds are available; patching is the only mitigation. For enterprise environments, use Mobile Device Management (MDM) or Chrome policies to enforce automatic updates and verify compliance across the fleet.
Patch guidance
Deploy Chrome version 149.0.7827.103 or later across your macOS infrastructure. Chrome's auto-update mechanism will deliver the patch automatically to most users within days of release, but verify completion in your environment. For enterprises using managed Chrome deployments, push the update through your MDM solution to ensure coverage of all devices. Prioritize macOS systems that run high-risk workflows or have network-facing roles, as they present the highest exploitation likelihood.
Detection guidance
Monitor for unusual process behavior following Chrome sandbox boundaries—specifically, look for child processes spawned from the Chrome renderer or network process that execute system-level commands or access unauthorized file paths. In macOS environments, review system logs for unexpected process escalation. If network monitoring shows signs of process compromise (unusual DNS queries, unexpected outbound connections from Chrome), treat it as a precursor to potential sandbox escape attempts. Check for successful privilege escalation events in audit logs correlated with Chrome activity. Current vulnerability scanners will flag unpatched Chrome installations; prioritize systems showing version numbers below 149.0.7827.103.
Why prioritize this
This vulnerability merits high priority because it enables sandbox escape—a critical security boundary—but only after a network process compromise. Organizations should treat this as a secondary risk amplifier: if you have other vulnerabilities that could compromise Chrome's network process, this CVE becomes a pathway to system compromise. Patch immediately if you have high-risk users or systems exposed to untrusted content, and treat it as standard-priority patching for general enterprise deployments.
Risk score, explained
The CVSS 3.1 score of 8.3 (High) reflects: Network Attack Vector (AV:N), High complexity due to the race condition timing (AC:H), no privilege requirement for triggering the race (PR:N), but user interaction required (UI:R). The impact scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component—specifically, system resources outside the Chrome sandbox. All three impact categories (Confidentiality, Integrity, Availability) are rated High. The 8.3 score accurately represents a serious vulnerability that requires immediate patching, though the constraint of needing prior network process compromise means real-world risk depends on your threat model.
Frequently asked questions
Can this vulnerability be exploited if Chrome is fully up to date?
No. Once you update to version 149.0.7827.103 or later, you are protected. The race condition is fixed in that release. Verify your version in Chrome Settings > About Chrome.
Does this affect Chrome users on Windows or Linux?
No. This vulnerability is specific to macOS. The race condition exists only in the macOS implementation of Chrome's network process. Windows and Linux users are unaffected.
What does 'network process compromised' mean, and how would that happen?
The network process is the isolated component of Chrome that handles all network traffic. A prior vulnerability in Chrome or another attack could compromise it—for example, a separate remote code execution bug in the network stack, or an attacker gaining access through malware. Once compromised, an attacker can trigger this race condition to escape the sandbox entirely.
Is this vulnerability being actively exploited in the wild?
As of the last update, CVE-2026-11677 is not tracked as a Known Exploited Vulnerability (KEV) by CISA. However, treat it as a serious risk based on the High CVSS score and the nature of the flaw. Deploy patches promptly rather than waiting for active exploitation reports.
This analysis is based on public vulnerability information and vendor advisories as of June 2026. The vulnerability details, patch version numbers, and CVSS assessment reflect the source data provided. Organizations should verify patch availability and compatibility in their specific environments before deployment. This analysis does not constitute legal or compliance advice. Consult with your security and compliance teams regarding your organization's patch management and risk tolerance policies. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-11253MEDIUMChrome Permissions Flaw Allows Cross-Origin Data Leak
- CVE-2026-10940HIGHChrome Windows Sandbox Escape via Codec Race Condition
- CVE-2026-11145MEDIUMChrome Android Geolocation Race Condition Data Leak
- CVE-2026-9959LOWChrome WebRTC Race Condition Leaks Cross-Origin Data on Windows
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis