Use after free in FullScreen in Google Chrome on Windows prior to 149

CVE-2026-10908 is a use-after-free in Chrome FullScreen on Windows. The affected population is Google Chrome on Windows prior to 149.0.7827.53; Google’s stable desktop release moved Windows/Mac to 149.0.7827.53/54 on 2026-06-02. The key detail is the precondition in the description: the attacker must have already compromised the renderer process and then use this bug to try to cross the browser sandbox boundary.

Google’s HIGH 8.3 is technically fair in Chromium’s own taxonomy because renderer sandbox escapes are high severity by design, but for patch-priority reality this is not a one-click internet-to-host compromise. The attacker needs a prior memory-corruption or logic bug in renderer-reachable content first, which is strong downward pressure; the reason this still lands HIGH instead of MEDIUM is that Chrome is ubiquitous on Windows and sandbox-escape primitives are exactly what turns a renderer foothold into real device impact.

Why this verdict

• Big downgrade factor: prior compromise required — the attacker position is effectively *post-exploitation inside a renderer*, which implies they already burned or bought another bug first.
• Exposure is huge, but reachable population is narrower than CVSS implies — Chrome is universal, yet only Windows builds below 149.0.7827.53 are relevant and only after a renderer foothold.
• Modern controls should break stage one more often than stage two — browser hardening, EDR exploit protections, and rapid Chrome auto-updates put friction on the full chain even if this individual bug is serious.

Why not higher?

It is not higher because the vulnerability does not directly give an unauthenticated remote attacker code execution on the host. The exploit chain must already be inside the renderer sandbox, which is a material prerequisite that sharply reduces who can use it and how often it will be used at scale.

Why not lower?

It is not lower because a Chrome sandbox escape on Windows is still a high-value chain component in a massively deployed target. Once stage one exists, this class of bug can convert a contained browser exploit into genuine endpoint impact, which is too important for backlog-only treatment.

1. Force Chrome Stable auto-update — Ensure Windows endpoints are not pinned below 149.0.7827.53 and that Google Update or your managed deployment channel is allowed to move forward. For a HIGH verdict, deploy this control within 30 days if patch rollout is not already automatic.
2. Remove risky version pinning — Review Target version prefix, rollback policies, and Extended Stable exceptions that strand users on older Windows builds. This matters most in large estates where the browser looks 'managed' but is quietly held below the fixed build; fix the policy within 30 days.
3. Isolate unpatchable browsing tiers — For kiosks, regulated systems, or brittle app stacks that cannot move immediately, place high-risk users behind remote browser isolation, VDI, or equivalent containment. Use this as a temporary brake on exploit-chain risk and deploy it within 30 days.
4. Hunt for suspicious Chrome child activity — Tune EDR detections for chrome.exe spawning script hosts, LOLBins, unexpected file writes, or credential-store access attempts. This will not stop the bug, but it will shorten dwell time if someone successfully chains a renderer exploit with this sandbox escape; implement within 30 days.

Run this on the target Windows endpoint or through your EDR/RMM as a local inventory check. Invoke with powershell.exe -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-10908.ps1; standard user is usually enough because it only reads file metadata from common Chrome install paths and user profile locations.

# check-chrome-cve-2026-10908.ps1

# Outputs: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 1 = vulnerable, 0 = patched, 2 = unknown


$ErrorActionPreference = 'SilentlyContinue'
$fixedVersion = [version]'149.0.7827.53'

$paths = @(
    "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
    "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
    "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
) | Select-Object -Unique

$found = @()
foreach ($p in $paths) {
    if (Test-Path $p) {
        try {
            $fv = (Get-Item $p).VersionInfo.FileVersion
            if ($fv) {
                $ver = [version]($fv.Split(' ')[0])
                $found += [pscustomobject]@{
                    Path = $p
                    Version = $ver
                }
            }
        } catch {
        }
    }
}

if (-not $found -or $found.Count -eq 0) {
    Write-Output 'UNKNOWN - Chrome executable not found in standard install paths'
    exit 2
}

$vuln = $found | Where-Object { $_.Version -lt $fixedVersion }
$patched = $found | Where-Object { $_.Version -ge $fixedVersion }

if ($vuln.Count -gt 0) {
    $details = ($vuln | ForEach-Object { "$($_.Path) [$($_.Version)]" }) -join '; '
    Write-Output "VULNERABLE - Found Chrome for Windows below $fixedVersion : $details"
    exit 1
}

if ($patched.Count -gt 0) {
    $details = ($patched | ForEach-Object { "$($_.Path) [$($_.Version)]" }) -join '; '
    Write-Output "PATCHED - All discovered Chrome installs are at or above $fixedVersion : $details"
    exit 0
}

Write-Output 'UNKNOWN - Unable to determine Chrome version state'
exit 2

Sources

1. Chrome Releases - Stable Channel Update for Desktop (Chrome 149)
2. Chrome Releases - Early Stable Update for Desktop
3. Chromium - chrome://sandbox Diagnostics for Windows
4. Chromium - Severity Guidelines for Security Issues
5. CISA Known Exploited Vulnerabilities Catalog
6. FIRST EPSS API endpoint for this CVE
7. Chrome Enterprise - Manage Chrome updates (Windows)
8. Chromium issue referenced by the Chrome 149 advisory