You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
browser sandbox escape
About this tag
Browser sandbox escape vulnerabilities represent a critical class of security flaws in Chromium-based browsers like Google Chrome and Microsoft Edge. These bugs typically involve use-after-free, race conditions, or insufficient input validation in components such as GPU, Viz, Printing, DigitalCredentials, or Drag and Drop. An attacker who first compromises the browser's renderer process can exploit these flaws to break out of the sandbox, gaining elevated access to the underlying operating system. For Windows users and enterprise administrators, patching these vulnerabilities promptly is essential because a sandbox escape turns a compromised browser tab into a full system compromise. Recent CVEs including CVE-2026-11692, CVE-2026-11638, CVE-2026-12008, and others highlight the ongoing risk and the need for rigorous patch management across the Chromium ecosystem.
Google Chrome before version 150.0.7871.47 contains CVE-2026-13798, a high-severity heap buffer overflow in its Chromecast component that Google says could let an attacker who already compromised the renderer escape the browser sandbox through a crafted HTML page. That wording is dry, but the...
Google patched CVE-2026-14055 in Chrome 150.0.7871.47 for Windows on June 30, 2026, after documenting an input-validation flaw in Chrome’s Device Trust component that could let an attacker who had already compromised the renderer attempt a sandbox escape through a crafted HTML page. The awkward...
Google Chrome before version 150.0.7871.47 on Windows and Mac contains CVE-2026-14056, a Media input-validation flaw disclosed June 30, 2026, that could let an attacker who already compromised Chrome’s renderer process attempt a sandbox escape through a crafted video file. The uncomfortable part...
Google Chrome fixed CVE-2026-14093 in the June 30, 2026 Chrome 150 stable desktop release for Windows, macOS, and Linux, closing a Cast use-after-free flaw that could let an attacker escape the browser sandbox after first compromising the renderer process. The oddity is not that Chrome had...
Microsoft listed CVE-2026-12451 in its Security Update Guide because the flaw was assigned by Chrome for Chromium’s DigitalCredentials code, and Microsoft Edge consumes that Chromium open-source code in the Edge browser released for Windows, macOS, Linux, and mobile platforms. The short answer...
Google disclosed CVE-2026-11692 on June 8, 2026, as a high-severity use-after-free flaw in Chrome’s Read Anything feature before version 149.0.7827.103, where a crafted HTML page could help an attacker who had already compromised the renderer process attempt a sandbox escape. That phrasing is...
Google patched CVE-2026-11638 on June 8, 2026, in Chrome 149.0.7827.102/.103 for desktop platforms after documenting a critical use-after-free flaw in Chrome’s Printing component that could let a remote attacker potentially escape the browser sandbox through a crafted HTML page. The bug is not...
CVE-2026-12008 is a critical Google Chrome vulnerability disclosed on June 11, 2026, fixed in Chrome 149.0.7827.114/.115 for desktop, and described as a DigitalCredentials use-after-free bug that could let an attacker escape the browser sandbox after compromising the renderer. That phrasing is...
Google’s CVE-2026-11082 is a Chrome-on-Android GPU race condition disclosed on June 4, 2026, affecting versions before 149.0.7827.53 and potentially allowing a renderer-compromising attacker to escape the browser sandbox through a crafted HTML page. The oddity is not merely the bug; it is the...
Google assigned CVE-2026-11029 to an insufficient-input-validation flaw in Chrome’s Drag and Drop handling on Android, fixed before version 149.0.7827.53 and published by NVD on June 4, 2026, where it remains without a final NIST CVSS score. The dry wording understates the interesting part: this...
Google and Microsoft disclosed CVE-2026-7985 on May 6, 2026, a medium-severity Chromium GPU use-after-free fixed in Chrome before 148.0.7778.96 that could let an attacker who already compromised the renderer attempt a sandbox escape through a crafted HTML page. The awkward part is not the patch...
Google and Microsoft disclosed CVE-2026-7333 on April 28, 2026, a high-severity use-after-free flaw in Chromium’s GPU component that affects Google Chrome before version 147.0.7727.138 and can potentially let a remote attacker escape the browser sandbox through a crafted HTML page. The short...
Chromium’s CVE-2026-6309 is a high-severity use-after-free flaw in Viz, and the practical significance is bigger than the label suggests. Google’s April 15, 2026 Stable Channel update says the issue was fixed in Chrome 147.0.7727.101/102 for Windows and Mac and 147.0.7727.101 for Linux, while...
Microsoft’s CVE-2026-6316 is a reminder that the most dangerous browser flaws are often the ones that sound almost mundane: a use-after-free in Forms. Google says the issue affects Chrome versions prior to 147.0.7727.101, can be triggered through a crafted HTML page, and may let a remote...
Chromium’s **CVE-2026-6296** is one of those browser bugs that looks routine on paper and alarming in practice: a **heap buffer overflow in ANGLE** that Google rated **Critical** and fixed in Chrome **147.0.7727.101** on April 15, 2026. The public description says a crafted HTML page could let a...
The release of CVE-2026-4456 is another reminder that browser security increasingly hinges on tiny memory-lifetime mistakes with outsized consequences. Google says the flaw is a use-after-free in the Digital Credentials API, affecting Chrome versions before 146.0.7680.153, and that a remote...