CVE-2026-11692: Chrome Read Anything Use-After-Free Sandbox Escape
A use-after-free vulnerability in Chrome's Read Anything feature allows an attacker who has already compromised the browser's renderer process to escape the sandbox and gain elevated system privileges. The attacker needs a user to open a malicious HTML page, but once triggered, the flaw breaks Chrome's security isolation and can lead to full system compromise. Google Chrome versions prior to 149.0.7827.103 are affected across Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Read Anything in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11692 is a use-after-free (CWE-416) vulnerability in the Read Anything component of Google Chrome. The flaw exists in how Chrome handles memory references after objects have been deallocated. An attacker with control of the renderer process can craft a malicious HTML document that triggers improper memory access, circumventing the sandbox boundary. The vulnerability requires user interaction (opening the page) but no additional privileges, and impacts Chrome versions before 149.0.7827.103 on multiple operating systems.
Business impact
If exploited, this vulnerability enables a two-stage attack: first gaining renderer process control through other means, then leveraging this flaw to escape the browser sandbox. Once outside the sandbox, an attacker can execute arbitrary system code with the privileges of the logged-in user, leading to potential theft of credentials, installation of persistent malware, lateral movement within the network, and data exfiltration. For organizations where Chrome is the primary browser or where users have elevated privileges, the blast radius is significant.
Affected systems
Google Chrome versions prior to 149.0.7827.103 on Windows, macOS, and Linux are vulnerable. All users of affected Chrome versions are at risk if they encounter a malicious webpage—either through direct navigation or drive-by download scenarios. Organizations running enterprise Chrome deployments with older versions face the highest immediate risk.
Exploitability
Exploitation requires a two-step process: an attacker must first compromise the Chrome renderer process (via another vulnerability, malicious extension, or social engineering), then deliver a crafted HTML page to trigger the use-after-free. The CVSS vector reflects high complexity due to this prerequisite and the need for user interaction, but once the renderer is compromised, weaponizing this flaw is relatively straightforward. No evidence of in-the-wild exploitation has been reported, and the vulnerability is not yet tracked on the CISA KEV catalog.
Remediation
Immediately update Google Chrome to version 149.0.7827.103 or later. Chrome's auto-update mechanism should deploy the patch automatically, but verify completion on critical systems. For managed environments, use Chrome enterprise policies to enforce the minimum version and disable downgrades. Additionally, implement application whitelisting and restrict execution of unsigned binaries to limit the impact of potential sandbox escapes.
Patch guidance
Update Chrome via Settings > About Google Chrome, which will trigger an automatic check and restart if a new version is available. For enterprise deployments, verify the rollout using your device management platform (MDM/EMM). Test the patched version in your environment before full deployment. Chrome's rapid release cycle means the patch is available immediately; delaying updates increases risk exposure. Consider accelerating patch deployment for high-risk user populations such as executives and researchers.
Detection guidance
Monitor for process crashes or unusual behavior in the Chrome renderer process, particularly if followed by suspicious child processes spawned from the Chrome executable. Track Chrome version inventory across your environment to identify machines still running versions prior to 149.0.7827.103. Review browser logs and security tool alerts for HTML pages that trigger renderer crashes or memory violations. Correlate unusual kernel-level activity with Chrome usage patterns. Given the sandbox-escape nature, focus on detecting privilege escalation attempts that originate from browser-spawned processes.
Why prioritize this
This vulnerability merits high priority due to its sandbox-escape capability and CVSS 8.3 severity score. While exploitation requires renderer compromise as a prerequisite, the chaining potential is significant in real-world attack scenarios where malicious extensions or other Chrome exploits are already present. The widespread use of Chrome and the impact of successful exploitation (full system compromise) justify rapid remediation. Organizations should treat this as critical for immediate patching, despite the lack of current KEV designation.
Risk score, explained
The CVSS 8.3 (HIGH) score reflects the combination of network-accessible attack vector, high impact across confidentiality, integrity, and availability, and the critical outcome of successful exploitation (sandbox escape). The high complexity rating acknowledges the prerequisite of renderer process compromise, lowering the score from critical; however, the scope change (breaking the browser sandbox) and full system impact elevate it significantly. The user interaction requirement further justifies the HIGH rather than CRITICAL designation, but the risk remains substantial in practice.
Frequently asked questions
Do I need to worry about this if I'm not a Chrome user?
No. This vulnerability is specific to Google Chrome. Firefox, Safari, Edge, and other browsers are not affected, though they have their own vulnerability portfolios that require separate monitoring.
What does 'renderer process compromise' mean, and how realistic is that as a prerequisite?
The renderer process is Chrome's sandboxed component that executes untrusted web content. It can be compromised via other Chrome vulnerabilities, malicious browser extensions with broad permissions, or social engineering. In practice, attackers often chain multiple flaws; this vulnerability becomes dangerous when combined with prior renderer exploits or when users install rogue extensions.
Will Chrome auto-update protect me without any action on my part?
Chrome checks for updates regularly and auto-updates are enabled by default on most systems. However, the update requires a browser restart to take effect. Verify your Chrome version manually (Settings > About) to confirm the patch has been applied. In enterprise environments, ensure your MDM policies are enforcing the latest minimum version.
Why is this not yet on CISA's Known Exploited Vulnerabilities list?
The CISA KEV catalog tracks vulnerabilities with confirmed in-the-wild exploitation. As of the vulnerability's publication, there is no evidence of active exploitation. However, absence from KEV does not reduce the technical severity—organizations should not delay patching based on KEV status alone, especially for critical sandbox-escape flaws.
This analysis is provided for informational purposes and reflects information available as of the published vulnerability date. Verify all patch version numbers and compatibility against official Google Chrome release notes and your vendor advisories before deployment. Exploit availability and in-the-wild usage may change; monitor CISA and vendor sources for emerging threat intelligence. This document does not constitute legal or compliance advice; organizations should assess applicability within their specific regulatory and operational context. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance