HIGH 7.5

CVE-2026-1220: V8 Race Condition Type Confusion in Chrome – Patch Guidance

A race condition in Google Chrome's V8 JavaScript engine could allow an attacker to trick the browser into confusing data types when processing a malicious webpage. An attacker would need to craft a specific HTML page and convince a user to visit it, but if successful, the vulnerability could lead to information disclosure, data tampering, or application crashes. Chrome versions before 144.0.7559.99 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362
Affected products
4 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page. (Chromium security severity: High)

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-1220 is a race condition (CWE-362) in the V8 JavaScript engine shipped with Google Chrome prior to version 144.0.7559.99. The vulnerability allows type confusion—a state where the engine misidentifies the actual type of an object in memory—through a timing-sensitive code path. An attacker exploits this by delivering a crafted HTML page that triggers concurrent execution patterns during garbage collection or object allocation, causing the type safety guarantees of the V8 engine to be violated. The race window is narrow and difficult to trigger reliably, which is reflected in the CVSS scoring (AC:H). Successful exploitation grants the attacker capabilities typically restricted by the browser sandbox.

Business impact

This vulnerability poses a moderate-to-significant risk to organizations whose workforces browse the web with Chrome. Exploitation could lead to data exfiltration from browser memory (which may contain session tokens, credentials, or sensitive web content), unauthorized modifications to web pages or cached data, or denial of service through targeted crashes. The requirement for user interaction (visiting a malicious site) limits the attack surface compared to wormable flaws, but phishing and drive-by download tactics remain viable delivery mechanisms. Any organization relying on Chrome's security model as a boundary for untrusted content should treat this as a priority remediation target.

Affected systems

Google Chrome is the primary affected product. The vulnerability is specific to Chrome's V8 engine implementation, though the underlying operating systems listed (macOS, Linux kernel, Windows) are relevant only insofar as Chrome runs on them. All Chrome installations on these platforms running version 143.0.7559.99 or earlier require patching. Other Chromium-based browsers (Edge, Opera, Brave, etc.) may be affected if they integrate the vulnerable V8 version; organizations should verify their specific Chromium-based browser versions against the Chrome stable release timeline.

Exploitability

Exploitability is constrained by several factors. The race condition requires precise timing and typically demands multiple page loads or extended user interaction with the malicious page to increase the probability of hitting the vulnerable code path. CVSS AC:H reflects this difficulty. The vulnerability requires user interaction (UI:R) and does not grant network access to arbitrary systems; it is confined to the bounds of the browser process. However, the attack surface is broad—any webpage the user visits, including those served via compromised ad networks or watering-hole attacks, could deliver the payload. No public exploitation techniques were available at the time of publication, but the high Chromium severity rating indicates the Chrome security team assessed the practical impact as significant.

Remediation

Upgrade Google Chrome to version 144.0.7559.99 or later. This patch addresses the race condition in V8. Users can verify their current Chrome version by navigating to chrome://settings/help, which will also prompt automatic updates if available. Organizations managing Chrome deployments via policy should update their deployment configurations to enforce version 144.0.7559.99 or later. For Chromium-based browsers not listed in the CVE, cross-reference their upstream Chromium version against the Chrome release notes to determine equivalency.

Patch guidance

Google Chrome auto-updates to stable releases, typically rolling out over several days. Manually trigger updates via chrome://settings/help or Settings > About Chrome. For enterprise environments: deploy version 144.0.7559.99 or later using your standard Chrome management tools (Google Admin Console, Intune, etc.). Verify patch application by spot-checking client chrome://version outputs. Prioritize user-facing systems and workstations that access sensitive web content or internal web applications. Test patch compatibility with critical browser extensions before broad rollout if your environment has custom web applications or security-sensitive plugins.

Detection guidance

Detection at the network level is limited, as the vulnerability resides within the browser process and does not manifest as anomalous network traffic. Monitor Chrome version compliance via endpoint management tools (Intune, Jamf, etc.) to identify unpatched installations. Monitor system logs on macOS, Linux, and Windows for unexpected Chrome process crashes or memory access violations, which may indicate attempted exploitation. Web application firewall (WAF) rules are unlikely to detect this attack, as the payload is embedded in HTML/JavaScript that passes normal content inspection. Focus detection efforts on version tracking and post-compromise forensics (reviewing browser cache, session history, and process memory dumps).

Why prioritize this

Despite the lack of active, widespread exploitation (KEV status: not listed), the combination of high CVSS severity, the need for only a single user interaction, and the prevalence of Chrome in enterprise environments warrants prioritization within a 30-day patch window. The race condition, while difficult to trigger, is deterministic and reproducible by a skilled attacker, and the impact (information disclosure and integrity violation) affects core browser security assumptions. Organizations should treat this as a mandatory update for any system where data confidentiality is a concern.

Risk score, explained

CVSS 3.1 score of 7.5 (HIGH) reflects: Network-accessible attack vector (AV:N), high attack complexity due to race condition timing (AC:H), no privilege requirement (PR:N), user interaction required (UI:R), and confidentiality, integrity, and availability impacts all possible within the browser's security context (C:H/I:H/A:H). The score appropriately penalizes AC:H to reflect the narrow exploitation window, preventing a Critical rating, while the multi-impact nature elevates severity above 7.0.

Frequently asked questions

Does this vulnerability affect Chrome on Android?

The CVE description lists desktop operating systems (macOS, Linux, Windows) and does not explicitly mention Android. Consult Google's official Chrome security advisory and release notes to confirm Android status. If affected, updates on Android typically roll out separately through Google Play, with similar urgency.

Can my organization disable V8 or use a safer JavaScript engine in Chrome?

No. V8 is Chrome's core JavaScript engine and cannot be replaced or disabled. The mitigation is patching. If you require an additional layer of protection, consider deploying web content filtering or sandboxing technologies that isolate untrusted web browsing.

What if we cannot patch immediately due to compatibility concerns?

Risk mitigation steps include restricting user access to untrusted or high-risk websites, disabling JavaScript where feasible for lower-risk users, and increasing monitoring for suspicious Chrome crashes. However, these are temporary measures. Plan a phased rollout of version 144.0.7559.99 within a 30-day window to maintain security posture.

Why is this not on the KEV catalog if it's high-risk?

KEV status indicates active exploitation in the wild. This CVE, published on 2026-06-10, had not demonstrated active exploitation by the time of publication. However, absence from KEV does not diminish the need to patch—threat actors often develop exploits before public disclosure, and race conditions can be weaponized quickly once the vulnerability becomes known.

This analysis is provided for informational purposes and reflects the state of the vulnerability as of the publication date (2026-06-10). Exploit code is not included. Organizations should verify patch versions and compatibility against official Google Chrome security advisories and their vendor-specific release notes. SEC.co does not warrant the accuracy or completeness of third-party vendor information. Patch dates, version numbers, and affected product lists are subject to change; always consult the official Chromium/Chrome security page for authoritative updates. Use of this information is at the organization's own risk and should be incorporated into a broader risk management and patch management program. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).