CVE-2026-10899 · Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specifi

01 · The Real Story

This is a booby-trapped doorway that only exists on one floor of the building and only opens if the user grabs the handle just right

CVE-2026-10899 is a use-after-free in Chrome's Ozone layer on Linux. Affected builds are Google Chrome on Linux prior to 149.0.7827.53; the flaw is reached from hostile web content, but the published description says the attacker must convince the victim to perform a specific interaction, which materially narrows exploit reliability and campaign scale.

Google's HIGH / 7.5 baseline is defensible in a vacuum because memory corruption in a browser can become code execution. In real enterprise fleets, though, this one is Linux-only, user-driven, marked AC:H, has no KEV listing, and there is no public exploitation evidence or public PoC located from the source set, so the vendor score overshoots the practical patching urgency.

"Internet-reachable bug class, but Linux-only + specific interaction + no exploit signal makes this a medium-priority browser patch."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a Linux-targeted lure

The attacker uses a phishing link, chat message, or malicious ad to push the victim to a crafted web page. The only realistic weaponized tool identified from the source set is a custom exploit page / custom JavaScript trigger; no public exploit kit or repo was found for this CVE.

Conditions required:

Victim uses Chrome on Linux below 149.0.7827.53
Victim can be driven to attacker-controlled web content
Attacker has a trigger tailored to the Ozone bug

Where this breaks in practice:

Linux desktop populations are smaller than Windows/macOS in most enterprises
No public PoC lowers copy-paste exploitation
Email filtering, DNS filtering, and browser safe-browsing reduce delivery success

Detection/coverage: Secure email gateways, web proxies, DNS filters, and browser telemetry can catch the lure, but scanners will not see this from the network because the bug is client-side.

STEP 02

Force the required user interaction

The CVE description explicitly says exploitation needs the user to engage in a specific interaction. That means the page alone is not enough; the attacker must get the victim to click, drag, open, or otherwise manipulate a UI path that reaches vulnerable Ozone code.

Conditions required:

Victim renders the page in vulnerable Chrome on Linux
Victim performs the exact interaction sequence the exploit expects

Where this breaks in practice:

Human-behavior dependency is major real-world friction
Any mismatch in desktop environment, display stack, timing, or user action can break reliability

Detection/coverage: User-action gating is not something scanners validate well; detection is mostly indirect via browser crash spikes, EDR telemetry, and suspicious browsing journeys.

STEP 03

Trigger UAF memory corruption in Ozone

With the right state established, the crafted page and interaction trigger a use-after-free in Ozone, Chrome's Linux windowing/platform abstraction layer. A successful trigger can corrupt process memory and potentially yield code execution in the vulnerable browser context.

Conditions required:

The vulnerable Ozone code path is reachable in the victim's Linux environment
Exploit timing is reliable enough for the target build

Where this breaks in practice:

AC:H in the vendor vector matters here: these bugs are often timing- and state-sensitive
Chrome allocator hardening, sanitizers in development, and modern mitigations reduce exploit stability

Detection/coverage: Version-based asset inventory catches exposure; runtime detection is weak unless you have browser crash reporting, EDR memory-exploit analytics, or post-exploit process telemetry.

STEP 04

Monetize browser-context access or chain onward

If exploitation lands, the attacker can act in the browser's context: steal session material, pivot into same-user data, or use the foothold as one stage in a longer chain. Full host compromise is not guaranteed from this CVE alone; practical enterprise impact often depends on what the victim is signed into and whether the attacker also has a sandbox escape or credential-harvest follow-on.

Conditions required:

Successful code execution or equivalent browser compromise
Useful user sessions, tokens, or local data exist on the host

Where this breaks in practice:

Many meaningful outcomes require a second-stage capability or high-value victim context
EDR, application control, and least-privilege can contain follow-on behavior

Detection/coverage: Watch for browser child-process anomalies, credential access attempts, strange outbound connections, and new persistence from the browser lineage.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed exploitation in the source set. Not listed in CISA KEV as of the catalog page reviewed.
Public PoC	None located. No public GitHub repo, exploit write-up, or exploit kit reference was found for this specific CVE.
EPSS	0.00068 from the user-supplied intel block, which is roughly 0.068% probability over 30 days; percentile was not independently verified from the browsed sources.
KEV status	Not KEV-listed per CISA KEV catalog page reviewed; no KEV date applies.
CVSS vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H` — remote and no auth, but high complexity and user interaction required.
Affected versions	Google Chrome on Linux prior to 149.0.7827.53. The adjacent Google/Canadian release notices tie the fix to the 149.0.7827.53 Linux line.
Fixed version	149.0.7827.53 for Linux. Windows/Mac received `149.0.7827.53/.54` in the same release train, but this CVE is described as Linux-specific.
Scanning / exposure data	Shodan/Censys/FOFA are not useful here. This is a client-side browser flaw, so enterprise exposure is an endpoint inventory problem, not an internet-facing service census.
Disclosure	Disclosed 2026-06-04 per the user intel block; Google/Canadian advisory activity is dated June 2-3, 2026 around the 149.0.7827.53 release train.
Researcher / reporting	Not publicly attributed in the source set for this exact CVE. Historically, Google sometimes withholds bug details until broad patch adoption.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.8/10)

The decisive factor is reachability friction: this is a browser bug, but it only affects Linux Chrome, requires user interaction, and carries an explicit high-complexity rating. Without KEV status, public exploitation, or a public PoC, this looks more like a contained client-side patching item than a fleet-stopping emergency.

HIGH Downgrade from vendor HIGH to practical enterprise MEDIUM

MEDIUM Assessment of exploit reliability and likely blast radius without full technical root-cause detail

Why this verdict

Linux-only cuts the exposed population. Start from the vendor's 7.5, then mark down because this is not a cross-platform Chrome issue; in most enterprises the Linux desktop/browser fleet is a minority slice.
Specific interaction is compounding friction. The attacker needs the victim not just to browse, but to perform a particular action, which lowers success rates versus one-click or no-click browser exploitation.
AC:H is real here, not decorative. High-complexity browser memory corruption usually means timing, state, or environment sensitivity; that is downward pressure on operational exploitability.
No KEV, no public exploitation, no public PoC. There is no current signal that attackers are widely weaponizing this CVE, so there is no reason to treat it like a zero-day response event.
Impact is strong but often browser-context first. Even if exploitation works, the most common near-term win is browser/session compromise; meaningful host takeover often depends on chaining or privileged user context.

Why not higher?

If this were cross-platform, no-click, or already showing active exploitation, it would stay in HIGH or rise further. The current fact pattern is narrower: Linux-only exposure, required user interaction, and no exploitation signal materially suppress enterprise urgency.

Why not lower?

It is still an internet-fed memory corruption bug in a mainstream browser. A successful exploit can be serious on the endpoints that matter most, especially developer/admin Linux workstations with valuable sessions, source code, cloud tokens, or production access.

05 · Compensating Control

What to do — in priority order.

Constrain risky browsing on privileged Linux workstations — Move admin, SRE, and developer Linux endpoints that hold cloud, VPN, CI/CD, or production tokens into stricter browsing policy groups. For a MEDIUM verdict there is no mitigation SLA, so do this in your normal hardening cycle while you roll the patch.
Prioritize version visibility for Linux Chrome — Make sure your endpoint inventory can distinguish Chrome/Chromium versions on Linux and report anything below 149.0.7827.53. There is no mitigation SLA — go straight to the 365-day remediation window, but browsers should usually be swept in the next routine update ring, not left to drift.
Watch for browser exploit fallout — Hunt for Chrome-originated child processes, suspicious downloads, odd outbound connections, credential-store access, and crash spikes on Linux hosts. This is a containment aid, not a fix, and for MEDIUM there is no mitigation SLA attached.
Use isolation for high-risk web activity — Where you already have remote browser isolation or VDI jump boxes for untrusted browsing, steer your highest-value Linux users there until patch coverage is complete. With a MEDIUM verdict, deploy via normal operational change rather than emergency motion.

What doesn't work

Perimeter scanning doesn't help much because this is not a server-side exposure; you need endpoint version inventory.
WAF rules are the wrong control surface; the vulnerable parser is in the client browser, not your web app.
MFA helps account takeover downstream, but it does not stop the memory corruption trigger itself.
Generic patch priority based only on vendor HIGH overstates urgency here; the real-world prerequisites materially narrow exploitability.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux endpoint or through your EDR/SSH fleet runner. Invoke it as bash check_chrome_cve_2026_10899.sh with normal user privileges; it checks installed google-chrome, google-chrome-stable, chromium, or chromium-browser binaries and reports VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_chrome_cve_2026_10899.sh
# Detect exposure to CVE-2026-10899 on Linux based on local Chrome/Chromium version.
# Affected: Google Chrome on Linux prior to 149.0.7827.53
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u
FIXED_VERSION="149.0.7827.53"
FOUND=0
STATUS="UNKNOWN"
DETAILS=""

version_lt() {
  # returns 0 if $1 < $2
  local a b IFS=.
  read -r -a a <<< "$1"
  read -r -a b <<< "$2"
  local len=${#a[@]}
  if [ ${#b[@]} -gt "$len" ]; then len=${#b[@]}; fi
  for ((i=0; i<len; i++)); do
    local ai=${a[i]:-0}
    local bi=${b[i]:-0}
    # force base-10
    ai=$((10#$ai))
    bi=$((10#$bi))
    if (( ai < bi )); then return 0; fi
    if (( ai > bi )); then return 1; fi
  done
  return 1
}

check_bin() {
  local bin="$1"
  local ver raw
  if ! command -v "$bin" >/dev/null 2>&1; then
    return
  fi
  FOUND=1
  raw="$($bin --product-version 2>/dev/null || $bin --version 2>/dev/null || true)"
  ver="$(printf '%s' "$raw" | grep -Eo '[0-9]+(\.[0-9]+){2,3}' | head -n1)"

  if [ -z "$ver" ]; then
    DETAILS+="$bin: unable to parse version from '$raw'\n"
    return
  fi

  if version_lt "$ver" "$FIXED_VERSION"; then
    STATUS="VULNERABLE"
    DETAILS+="$bin: $ver < $FIXED_VERSION\n"
  else
    if [ "$STATUS" != "VULNERABLE" ]; then
      STATUS="PATCHED"
    fi
    DETAILS+="$bin: $ver >= $FIXED_VERSION\n"
  fi
}

check_bin google-chrome
check_bin google-chrome-stable
check_bin chromium
check_bin chromium-browser

if [ "$FOUND" -eq 0 ]; then
  echo "UNKNOWN - No Chrome/Chromium binary found in PATH"
  exit 2
fi

printf "%b" "$DETAILS"
case "$STATUS" in
  VULNERABLE)
    echo "VULNERABLE"
    exit 1
    ;;
  PATCHED)
    echo "PATCHED"
    exit 0
    ;;
  *)
    echo "UNKNOWN"
    exit 2
    ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify your Linux Chrome fleet, especially privileged developer/admin endpoints, and roll them through the next standard browser update ring to 149.0.7827.53 or later. Because this is MEDIUM and there is no KEV or active exploitation signal, there is noisgate mitigation SLA — go straight to the 365-day remediation window; operationally, though, browsers should not sit that long, so use your normal desktop patch motion now and complete the actual browser update no later than the noisgate remediation SLA of 365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.