PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10014 Google CVE debrief

A use-after-free vulnerability in WebMIDI on Google Chrome for Android prior to version 148.0.7778.216 enables sandbox escape from a compromised renderer process. The flaw, classified as CWE-416, carries Chromium's High severity rating. Successful exploitation requires an attacker to first compromise the renderer process, after which a crafted HTML page can trigger the memory corruption to break out of the browser sandbox. The vulnerability was disclosed on May 28, 2026, with fixes available in Chrome Stable channel updates.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations managing Android device fleets with Chrome browser deployments, mobile security teams, and developers relying on browser sandboxing for application security boundaries.

Technical summary

The vulnerability exists in Chrome's WebMIDI implementation on Android, where improper memory management leads to use-after-free conditions. An attacker with renderer process control can manipulate MIDI-related objects to trigger the flaw, potentially achieving arbitrary code execution outside the sandbox. The attack vector requires user interaction with malicious HTML content after initial renderer compromise.

Defensive priority

high

Recommended defensive actions

  • Update Google Chrome on Android devices to version 148.0.7778.216 or later
  • Prioritize patching for devices where users visit untrusted web content or where renderer compromise is a concern
  • Monitor for indicators of renderer exploitation as potential precursor to this sandbox escape
  • Review application sandboxing assumptions for Android Chrome deployments given renderer compromise prerequisites
  • resourceLinkAnnotations: [ref-4, ref-5, cve-org, nvd]

Evidence notes

Vulnerability description and affected version range derived from NVD record and Chrome Release Blog reference. CWE-416 classification confirmed via NVD weaknesses field. Chromium severity rating stated as High in official description. Timeline anchored to CVE publishedAt timestamp of 2026-05-28T23:16:43.233Z.

Official resources

2026-05-28