PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10012 Google CVE debrief

A use-after-free vulnerability in Skia, the 2D graphics library used by Google Chrome, was addressed in Chrome version 148.0.7778.216. The flaw could allow a remote attacker who has already compromised the renderer process to potentially escape the Chrome sandbox through a crafted HTML page. Google assigned this a High severity rating. The vulnerability was published to the CVE database on May 28, 2026, with Chrome's stable channel update released the same day. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with Chrome deployments, particularly those with users who may be targeted by advanced threat actors; security teams monitoring for browser-based attack chains; incident responders investigating potential sandbox escapes

Technical summary

The vulnerability exists in Skia, Chrome's 2D graphics rendering engine. A use-after-free condition can be triggered when processing crafted HTML content, allowing code execution outside the renderer sandbox if the attacker has already achieved renderer compromise. This represents a second-stage exploit typically chained with a separate renderer vulnerability.

Defensive priority

high

Recommended defensive actions

  • Update Google Chrome to version 148.0.7778.216 or later immediately
  • Verify Chrome auto-update is enabled and functioning in enterprise environments
  • Review browser isolation policies for high-risk user profiles
  • Monitor for unusual renderer process crashes or sandbox escape attempts
  • Apply security updates to other Chromium-based browsers (Edge, Brave, Opera) as they become available

Evidence notes

Vulnerability description and affected version confirmed via NVD entry and Chrome Release Blog. CWE-416 (Use After Free) classification provided by [email protected]. Chromium security severity rating of High per official source.

Official resources

Google Chrome Stable Channel Update