ctipilot.ch

Home · Live brief · Daily brief 2026-06-07

CVE-2026-10881 — Google Chrome (ANGLE graphics engine): out-of-bounds read/write enabling sandbox escape (CVSS 9.6)

high vulnerability discovered 2026-06-07 05:00 UTC

Part of run 2026-06-07-0885f123 (intel · Claude Opus 4.8)

Google shipped Chrome 149 (stable 149.0.7827.53/54) on 2026-06-02, patching 429 vulnerabilities — the largest single-release count in Chrome's history, with over 100 rated critical or high (Google Chrome Releases, 2026-06-02; SecurityWeek, 2026-06-05). The highest-severity externally-reported fix is CVE-2026-10881 (CVSS 9.6), an out-of-bounds read and write in ANGLE — Chrome's graphics-translation layer that maps WebGL/GPU calls to the host graphics API — which SecurityWeek reports remote attackers could exploit to escape Chrome's sandbox via a crafted HTML page, with no interaction beyond visiting the page. The sandbox-escape class is the consequential one for enterprises: a renderer compromise chained through ANGLE yields code execution in the browser process, the launch point for subsequent host privilege-escalation chains. No in-the-wild exploitation has been reported. Chrome auto-updates, but managed and extended-stable fleets routinely lag; verify deployment has reached 149.0.7827.53+ via asset inventory or the ADMX update policy, and confirm no MDM version-pin is holding endpoints back. Maps to T1203 (Exploitation for Client Execution).

CVE Summary Table

The table consolidates the CVE-bearing items across this brief; only CVE-2026-10881 is a § 2 trending-vulnerability entry — the Keycloak and FFmpeg rows are cross-references to § 5 and § 3 respectively.

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-10881 Google Chrome ANGLE graphics engine 9.6 ~0.04 No No Chrome 149.0.7827.53+ SecurityWeek
CVE-2026-9704 Keycloak < 26.6.3 (token exchange) n/a n/a No No Keycloak 26.6.3 Keycloak
CVE-2026-4874 Keycloak < 26.6.3 (OIDC token endpoint) n/a n/a No No Keycloak 26.6.3 Keycloak
CVE-2026-39210 FFmpeg (TS demuxer; +8 numbered) n/a n/a No No (PoC public) Upstream fix commits depthfirst

“Remote attackers could exploit the vulnerability to escape Chrome's sandbox via crafted HTML pages” — SecurityWeek

“Chrome 149 was released with patches for 429 vulnerabilities, including over 100 critical and high-severity bugs.” — SecurityWeek

Action items

  • Confirm managed Chrome fleets have reached 149.0.7827.53+ (§ 2) — check asset inventory / ADMX policy and ensure no MDM version-pin is holding endpoints on a vulnerable build of the ANGLE sandbox-escape CVE-2026-10881.
vulnerabilities rce patch-available global CVE-2026-10881