CVE-2026-10000 Google CVE debrief

Who should care

Organizations running Google Chrome on Windows endpoints, particularly those with users who may visit untrusted web content. Security teams responsible for browser security, endpoint protection, and sandbox escape prevention. Incident responders tracking browser-based attack chains.

Technical summary

This vulnerability exists in the Passwords component of Google Chrome on Windows. A use-after-free condition (CWE-416) can be triggered, allowing an attacker who has already compromised the renderer process to potentially escape the browser sandbox. The attack vector requires a crafted HTML page and prior renderer compromise, indicating this is typically exploited as part of a multi-stage attack chain. The fix was released in Chrome Stable Channel version 148.0.7778.216 on May 28, 2026.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on Windows systems to version 148.0.7778.216 or later
• Verify automatic update mechanisms are enabled for Chrome deployments
• Review browser isolation policies and consider site isolation enforcement as defense-in-depth
• Monitor for unusual renderer process crashes or unexpected sandbox escape attempts
• Audit endpoints for Chrome versions prior to 148.0.7778.216
• resourceLinkAnnotations: ref-4, ref-5, nvd, cve-org

Evidence notes

CVE published 2026-05-28. Chrome Stable Channel update released same day. Chromium issue tracker reference 513505608.

Official resources