PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10017 Google CVE debrief

Out-of-bounds read in Google Chrome Headless component prior to version 148.0.7778.216. A remote attacker who has already compromised the renderer process can exploit this vulnerability to potentially escape the Chrome sandbox via a crafted HTML page. The vulnerability is classified as Medium severity by Chromium security. The issue was disclosed on 2026-05-28 with CVE publication and modification timestamps aligned. No known exploitation in the wild or ransomware campaign use has been documented. The vulnerability is tracked as Chromium issue 504156069 and was addressed in the stable channel update for desktop.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Google Chrome in headless mode for automated testing, web scraping, or server-side rendering; security teams managing browser-based attack surfaces; developers relying on Chrome headless in CI/CD pipelines

Technical summary

The vulnerability exists in the Headless component of Google Chrome, where an out-of-bounds read (CWE-125) can be triggered. Exploitation requires prior compromise of the renderer process, which then enables potential sandbox escape. The attack vector is remote via crafted HTML page. The fix was released in Chrome stable channel version 148.0.7778.216 on 2026-05-28.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Google Chrome to version 148.0.7778.216 or later
  • If running Chrome in headless mode in production environments, prioritize patching due to sandbox escape potential
  • Review renderer process isolation configurations as defense-in-depth
  • Monitor for stable channel security updates from Google Chrome releases

Evidence notes

Vulnerability description sourced from NVD official record. Vendor attribution to Google Chrome based on reference domain evidence (Googleblog) with low confidence flag for review. Chromium issue tracker reference confirms bug tracking. Stable channel release notes confirm patch availability. CWE-125 (Out-of-bounds Read) identified as primary weakness.

Official resources

2026-05-28