You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
sandbox escape
About this tag
Sandbox escape vulnerabilities in Google Chrome are a recurring focus on WindowsForum, with multiple CVEs disclosed in June 2026 affecting Chrome versions before 149.0.7827.103 across Windows, macOS, and Linux. These flaws, including use-after-free, integer overflow, and insufficient input validation, allow an attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. Discussions emphasize that sandbox escape is a critical second-stage attack, turning a compromised tab into a broader system compromise. For Windows users and enterprise administrators, patching promptly is essential, as these vulnerabilities highlight the importance of Chrome's sandbox as a security boundary.
Google Chrome before 150.0.7871.47 is affected by CVE-2026-14017, a Navigation implementation flaw disclosed on June 30, 2026, that could let an attacker who already compromised Chrome’s renderer potentially escape the sandbox through a crafted HTML page. The short answer to the CPE question is...
Google fixed CVE-2026-14106 in Chrome 150 for Android after a Text-component input-validation flaw, published by the National Vulnerability Database on June 30, 2026, was found to let an attacker with an already-compromised renderer potentially escape Chrome’s sandbox through a crafted HTML...
Google Chrome’s CVE-2026-14120 was published on June 30, 2026, for a DevTools flaw fixed before Chrome 150.0.7871.47 that could let an attacker who had already compromised the renderer process attempt a sandbox escape through a crafted HTML page. The short operational answer is that NVD does...
Google fixed CVE-2026-13796 in Chrome 150.0.7871.47 for Windows and macOS on June 30, 2026, addressing a high-severity Chromecast integer overflow that could let an attacker escape Chrome’s sandbox after first compromising the renderer. The vulnerability is not a garden-variety “visit a bad page...
Google fixed CVE-2026-14038 in Chrome 150.0.7871.47 for Windows and Mac on June 30, 2026, addressing a low-severity New Tab Page input-validation flaw that could help an attacker escape Chrome’s sandbox after already compromising the renderer process with a crafted HTML page. The oddity is not...
Google fixed CVE-2026-14095 in the Chrome 150 stable desktop release on June 30, 2026, after documenting a low-severity Browser-component validation flaw that could let an attacker who had already compromised the renderer process potentially escape the sandbox through a crafted HTML page. The...
Google Chrome for macOS before version 150.0.7871.47 contains CVE-2026-14097, a WebAppInstalls implementation flaw disclosed on June 30, 2026, that could let an attacker who already compromised Chrome’s renderer process potentially escape the browser sandbox through a crafted HTML page. The...
Google Chrome before version 150.0.7871.47 contained CVE-2026-14109, a Mojo policy-enforcement flaw disclosed on June 30, 2026, that could let an attacker escape the browser sandbox after first compromising a renderer process with a crafted HTML page. The awkward part is not that Chrome had...
Google fixed CVE-2026-14151 in Chrome 150.0.7871.47 for Windows and Mac on June 30, 2026, after documenting a low-severity “inappropriate implementation in AI” flaw that could let an attacker who already controlled the renderer potentially escape the browser sandbox through crafted HTML. The...
Google’s June 30 Chrome 150 desktop release fixed CVE-2026-13782, a critical use-after-free flaw in the browser process that could let an attacker escape Chrome’s sandbox after compromising the renderer, with patched desktop builds shipping as Chrome 150.0.7871.46 for Linux and 150.0.7871.46/.47...
Google fixed CVE-2026-13781 in Chrome 150.0.7871.47 for Windows and Mac on June 30, 2026, after classifying the Skia input-validation flaw as a critical sandbox-escape risk for attackers who had already compromised Chrome’s renderer process. The important phrase is not merely “crafted HTML...
Google patched CVE-2026-13780 in Chrome 150.0.7871.47 for Windows and macOS after disclosing on June 30, 2026, that insufficient validation in ANGLE could let an attacker who had already compromised Chrome’s renderer escape the browser sandbox through a crafted HTML page. The NVD later rated the...
Google Chrome’s CVE-2026-13776 is a critical type-confusion flaw in the Dawn graphics layer, fixed in Chrome 150.0.7871.47 on June 30, 2026, and NVD’s change history indicates that Chrome CPE data was added even if the public page still shows a loading prompt.
That is the small but important...
Google disclosed CVE-2026-11655 on June 8, 2026, as a high-severity integer overflow in Chrome’s Media component on macOS before version 149.0.7827.103, where an attacker who had already compromised the renderer could potentially escape the browser sandbox using a crafted HTML page. That...
Google’s CVE-2026-11647 is a high-severity use-after-free flaw in Chrome’s Printing component on Android, disclosed June 8, 2026, affecting versions before 149.0.7827.103 and potentially allowing a renderer-compromising attacker to escape the browser sandbox with a crafted HTML page. That is the...
Google disclosed CVE-2026-11700 on June 8, 2026, as a use-after-free flaw in Chrome’s Tracing component before version 149.0.7827.103 that could let an attacker who already compromised the renderer process attempt a sandbox escape through a crafted HTML page. That description sounds narrow...
CVE-2026-11697 is a high-severity Google Chrome vulnerability, published by NVD on June 8, 2026, affecting Chrome versions before 149.0.7827.103 on Windows, macOS, and Linux, where insufficient UI input validation could let a remote attacker attempt sandbox escape through a crafted HTML page...
CVE-2026-11682 is a high-severity Google Chrome vulnerability disclosed on June 8, 2026, affecting Chrome on Linux before the 149.0.7827.103 line and allowing a sandbox escape after renderer compromise via a crafted HTML page. That sounds narrow, but it is the kind of narrow that matters: not a...
Google’s CVE-2026-11659 entry, published June 8, 2026 and modified June 9, describes a high-severity Chrome-on-Linux integer overflow in the browser UI that could let a remote attacker escape the sandbox through a crafted HTML page before version 149.0.7827.103. The short version is simple...
Google disclosed CVE-2026-11642 on June 8, 2026, as a critical Chromium Web Apps use-after-free flaw fixed in Chrome before version 149.0.7827.103, affecting desktop Chrome on Windows, macOS, and Linux where a crafted HTML page could help escape the browser sandbox. That is the dry database...