sandbox escape

CVE-2026-11163 is a Chrome on Android use-after-free flaw in the browser’s Messages component, disclosed June 4, 2026, fixed before version 149.0.7827.53, and described as allowing a remote attacker to potentially escape the sandbox through a crafted HTML page. The oddity is not the memory bug...

CVE-2026-10967 is a high-severity use-after-free vulnerability in Chrome’s SurfaceCapture component on Android, disclosed on June 4, 2026, affecting Google Chrome versions before 149.0.7827.53 and potentially allowing a renderer-compromise attacker to escape the browser sandbox through a crafted...

Google published CVE-2026-10934 on June 4, 2026, describing a high-severity use-after-free flaw in Chrome Autofill on Android before version 149.0.7827.53 that could let an attacker with renderer compromise attempt a sandbox escape through crafted HTML. That is a narrow sentence with a very...

Google published CVE-2026-10892 on June 4, 2026, identifying a critical out-of-bounds write in Chrome’s GPU component on Android before version 149.0.7827.53 that could let a remote attacker attempt a sandbox escape through a crafted HTML page. The phrasing is dry, but the implication is not...

Google Chrome’s CVE-2026-11119 was published by NVD on June 4, 2026, and describes a Chrome-on-Android GPU flaw fixed before version 149.0.7827.53 that could let an attacker escape the browser sandbox after first compromising the renderer with a crafted HTML page. The record is messy in exactly...

SafeBreach Labs disclosed that Windows 11 contained a sandbox escape flaw, tracked as CVE-2025-59199 and patched by Microsoft on October 14, 2025, that let a low-integrity process break out through a spoofed notification click and chained Windows components. The important part is not that one...

SafeBreach Labs uncovered a Windows 11 sandbox escape vulnerability dubbed Click Or Trick, reported by IT Brief Asia and tracked as CVE-2025-59199, that Microsoft fixed in October 2025 after researchers showed a one-click chain from low-integrity code to higher-integrity execution. The finding...

Google Chrome on Windows before version 148.0.7778.96 contains CVE-2026-7911, a high-severity use-after-free flaw in Chromium’s Aura UI layer that could let a remote attacker who already compromised the renderer attempt a sandbox escape through a crafted HTML page. That phrasing is dry, but the...

Google and Microsoft published CVE-2026-7917 on May 6, 2026, describing a high-severity use-after-free flaw in Chromium’s Fullscreen component on Windows before Chrome 148.0.7778.96 that could help a renderer-compromise chain escape the browser sandbox. The important phrase is not “Fullscreen,”...

CVE-2026-7919 is a high-severity use-after-free vulnerability in Chrome’s Aura user-interface framework, fixed in Google Chrome 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and macOS after disclosure on May 6, 2026, with Microsoft also tracking it in MSRC. The short version for...

Google disclosed CVE-2026-7345 on April 28, 2026, as a high-severity Chrome vulnerability in the browser’s Feedback component, fixed in Chrome 147.0.7727.138 after allowing a renderer-compromising attacker to potentially escape the sandbox through a crafted HTML page. That sounds narrow, almost...

On April 28, 2026, Google shipped Chrome 147.0.7727.137/138 for desktop to fix 30 security flaws, including CVE-2026-7350, a high-severity use-after-free bug in WebMIDI that could help an attacker escape Chrome’s sandbox after compromising the renderer process. The line that matters for...

Google disclosed CVE-2026-7343 on April 28, 2026, as a critical use-after-free flaw in Chrome’s Views component on Windows before version 147.0.7727.138, enabling a renderer-compromising attacker to potentially escape the browser sandbox via crafted HTML. That dry sentence is the whole drama in...

CVE-2026-6920 is not just another line item in Chrome’s fast-moving security ledger; it is a sharp reminder that browser GPU pipelines remain one of the most sensitive attack surfaces in modern computing. The flaw, described as an out-of-bounds read in the GPU component of Google Chrome on...

Google has patched CVE-2026-6297, a use-after-free in Proxy that affects Chrome versions before 147.0.7727.101 and carries a Critical Chromium severity rating. The public description says a crafted HTML page could allow an attacker in a privileged network position to potentially achieve a...

The latest Chrome security update closes a high-severity Chromium flaw, CVE-2026-6311, that lives in the browser’s accessibility code path and can be used as a sandbox escape on Windows if an attacker has already compromised the renderer process. Google’s April 15, 2026 Stable Channel release...

Insufficient validation of untrusted input in ANGLE has become the latest reminder that browser security is still a moving target, even when the bug is rated only Medium by Chromium’s own severity scale. CVE-2026-5879 affects Google Chrome on Mac prior to 147.0.7727.55, and Google’s description...

Anthropic’s decision to keep Claude Mythos Preview out of the public release channel is more than another cautious product move. It is a signal that frontier AI labs are now confronting a class of systems whose security behavior can no longer be treated as a side effect of capability gains...

Chromium’s CVE-2026-5289 is a high-severity use-after-free in Navigation that matters less as a standalone browser crash and more as a potential sandbox-escape primitive for a remote attacker who has already compromised the renderer process. Google’s own description says the flaw affected Chrome...

Google’s latest Chrome stable-channel security update is drawing attention not because of another routine patch, but because of a vulnerability that can turn a renderer compromise into something far more serious: a possible sandbox escape. The issue, tracked as CVE-2026-4451, affects Google...