← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-10963 · CWE-472 · Disclosed 2026-06-04

Integer overflow in V8 in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a burglar getting through the lobby door but still stuck behind the apartment’s deadbolt

CVE-2026-10963 is an integer overflow in Chrome’s V8 JavaScript engine. Google/NVD describe affected versions as Google Chrome prior to 149.0.7827.53, with the stable release fixing Linux at 149.0.7827.53 and Windows/Mac at 149.0.7827.53/.54. The trigger is a crafted HTML page, so the initial exploit path is ordinary web content rendered in a Chrome renderer process.

The vendor’s HIGH 8.8 is directionally fair on reachability, but it overstates enterprise impact if read as full-host RCE. The key limiter is right in the description: code execution is *inside a sandbox*. That means this CVE alone is usually a renderer compromise, not workstation takeover, and real damage often requires a second bug, a sandbox escape, token theft, or user-data abuse.

"Mass-reachable bug, but the payload lands in Chrome’s renderer sandbox, not your domain controller"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the target on a hostile page

The weaponized tool here is a malicious HTML/JavaScript payload delivered through phishing, malvertising, a compromised site, or an embedded webview. The user has to render attacker-controlled content in Chrome, which matches the CVSS UI:R requirement and the vendor description of a crafted HTML page.
Conditions required:
  • Target uses Chrome below 149.0.7827.53
  • Attacker can get the user to load attacker-controlled web content
  • JavaScript is enabled for the malicious page
Where this breaks in practice:
  • This is not wormable; it needs user navigation or equivalent content rendering
  • Email filtering, safe browsing, web proxying, and user behavior cut down the reachable population
  • Enterprise-managed browser rollouts often close this class quickly
Detection/coverage: Network scanners are poor at finding exploit attempts here; rely on browser version inventory, proxy telemetry, Safe Browsing events, and suspicious browser crash spikes.
STEP 02

Trigger the V8 integer overflow

The exploit uses crafted script logic to drive V8 into an integer overflow condition. In practice that means renderer memory corruption and a path to attacker-controlled code execution within the renderer process.
Conditions required:
  • Vulnerable V8 build is present
  • Exploit chain matches the exact patched bug conditions
  • Exploit survives browser hardening and modern memory mitigations
Where this breaks in practice:
  • No public PoC was found in the reviewed sources
  • Chromium bug details are restricted, so casual copycat exploitation is slowed
  • Browser exploit reliability is fragile across versions, OSes, and mitigations
Detection/coverage: EDR may only see chrome.exe instability or anomalous child-process behavior after successful follow-on actions; pure renderer exploitation often has weak direct detection.
STEP 03

Execute inside the renderer sandbox

If successful, attacker code runs in Chrome’s renderer, not with normal user freedom. Chromium’s own architecture docs describe renderer processes as sandboxed and heavily restricted, which materially limits direct OS, file-system, and device access.
Conditions required:
  • Exploit gains code execution in the renderer
  • Sandbox remains the only boundary crossed so far
Where this breaks in practice:
  • Renderer compromise does not equal host compromise
  • Modern Chrome process isolation and sandboxing sharply reduce blast radius from a single bug
  • Access to the local OS and cross-process actions is constrained by design
Detection/coverage: Chrome’s own sandbox diagnostics and EDR process trees help confirm process context, but vulnerability scanners still mostly reduce this to version-based detection.
STEP 04

Monetize the foothold or chain a second bug

The practical attacker move after renderer code exec is data theft within browser reach, session abuse, or pairing this with a sandbox escape/local privilege escalation. Without that second-stage capability, this bug is usually a contained browser compromise rather than broad enterprise compromise.
Conditions required:
  • Attacker needs browser-accessible secrets, a second exploit, or high-value session material
  • Target host contains useful authenticated browser state
Where this breaks in practice:
  • No evidence in reviewed sources of active exploitation or a public exploit chain for this CVE
  • Session theft value varies widely by user role and token protections
  • MFA, token binding, conditional access, and re-auth reduce post-exploitation payoff
Detection/coverage: Look for anomalous use of browser cookies/tokens, impossible-travel sign-ins, browser spawning unusual processes, and local crash telemetry correlated with suspect browsing.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo reviewed source says this CVE is being exploited in the wild. Google’s June 2, 2026 release note does not flag active exploitation, and the CVE is not present in CISA KEV.
Proof-of-concept availabilityNo public PoC was found in reviewed official/primary sources. The Chromium issue for this bug (511218177) exists but is permission-restricted, which slows opportunistic copycat weaponization.
EPSSUser-supplied EPSS is 0.0008. That is extremely low and supports a downgrade from 'internet-reachable therefore emergency' thinking, though EPSS is a threat-likelihood input, not an impact metric.
KEV statusNot KEV-listed as of the reviewed CISA catalog. No CISA due date exists because it is absent from KEV.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H = easy remote delivery, no auth, but user interaction required and scope unchanged. The missing scope change and explicit UI:R are real downward pressure.
Affected versionsNVD lists Google Chrome versions before 149.0.7827.53 as affected across Windows, macOS, and Linux.
Fixed versionsGoogle’s stable release on 2026-06-02 shipped fixes in Linux 149.0.7827.53 and Windows/Mac 149.0.7827.53/.54. For distro-managed Chromium derivatives, package naming/backports are vendor-specific, so verify the distro changelog rather than relying on the upstream Chrome string alone.
Exposure / scanning realityThis is a client-side browser flaw, so Shodan/Censys/FOFA-style internet exposure counts are mostly meaningless. Your exposure question is not 'how many are on the internet' but 'how many managed endpoints still run Chrome below 149.0.7827.53'.
Disclosure timelineReported by Google on 2026-05-08 in the Chrome release note, shipped in stable on 2026-06-02, and published in NVD on 2026-06-04.
Researcher / reporterThe release note attributes this one to Google rather than an external named researcher.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to HIGH (7.1/10)

The decisive factor is that successful exploitation yields code execution inside Chrome’s renderer sandbox, not reliable host compromise by itself. I kept it in HIGH because Chrome is ubiquitous, the delivery vector is ordinary web content, and user interaction is cheap for attackers even when the final blast radius is constrained.

HIGH Affected/fixed version range and disclosure timeline
MEDIUM No-public-PoC / no-active-exploitation assessment
MEDIUM Severity downgrade rationale based on sandbox-limited impact

Why this verdict

  • Downgrade for sandboxed impact: the vendor text itself says code execution occurs *inside a sandbox*, which is materially weaker than full workstation takeover.
  • Downward pressure from UI:R: the attacker needs the user to render hostile content, so this is not wormable and not a spray-the-internet service exploit.
  • Reachability keeps it out of MEDIUM: Chrome is everywhere, and the initial attack position is unauthenticated remote over the web, so the exposure population is huge even if final impact is bounded.
  • No exploitation signal: not KEV-listed, no Google zero-day flag in the release note, no public PoC found in reviewed primary sources, and the supplied EPSS (0.0008) is very low.
  • Modern controls partially help, but don’t erase risk: Safe Browsing, web filtering, EDR, and enterprise auto-update reduce success rates, yet none reliably stops a fresh browser exploit every time.

Why not higher?

This is not a clean unauthenticated service-side RCE on a server tier, and it is not documented as actively exploited. The attack still needs user interaction and, on the facts available, lands in the renderer sandbox rather than breaking straight to host-level code execution.

Why not lower?

Browsers are one of the largest exposed attack surfaces in the enterprise, and a crafted web page is a very low-friction initial lure. Even sandboxed renderer code execution can still enable credential/session theft, browser-state abuse, or pairing with a second bug for full compromise.

05 · Compensating Control

What to do — in priority order.

  1. Force browser auto-update compliance — Use your browser management plane to ensure Chrome reaches 149.0.7827.53 or later everywhere; for a HIGH verdict, drive this control deployment within 30 days. This is the highest-value mitigation because this bug is fundamentally version-gated.
  2. Block unmanaged or stale Chrome builds — Use device compliance policy, software restriction, or NAC posture checks to deny outdated browsers access to sensitive SaaS and internal apps. Deploy within 30 days so the remaining long-tail endpoints stop carrying interactive web exploit risk into high-value sessions.
  3. Tighten risky web paths — Use secure web gateway categories, ad-blocking, Safe Browsing enforcement, and phishing-resistant browsing policies to cut off common delivery routes for crafted HTML exploit pages. Roll this out within 30 days as a practical exposure reducer while patch rollout finishes.
  4. Watch for browser-to-OS pivot behavior — Tune EDR detections for suspicious child processes, DLL loads, and token/session theft behavior originating from Chrome. Put this in place within 30 days because the main residual risk is not the renderer bug itself but the follow-on chain.
  5. Protect browser-backed sessions — Prioritize MFA, short session lifetimes, re-auth for admin actions, and conditional access on privileged web apps. Implement or validate these controls within 30 days because they reduce the payoff of a renderer compromise that harvests browser-accessible state.
What doesn't work
  • A perimeter vulnerability scanner: this is a client-side browser issue, so external scanning tells you almost nothing about exposure.
  • A WAF in front of internal apps: the exploit can be delivered by any hostile page on the internet, not just by traffic to your apps.
  • Assuming 'sandboxed' means harmless: the sandbox lowers impact, but it does not prevent browser-session theft, local data exposure in browser scope, or chaining with a second exploit.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your endpoint management agent; it needs only normal user privileges. Example: python3 check_cve_2026_10963.py or python check_cve_2026_10963.py --chrome-version 149.0.7827.52 if you want to test a version string directly.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# CVE-2026-10963 Chrome version check
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys

FIXED = (149, 0, 7827, 53)


def parse_ver(s):
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', s or '')
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def ver_to_str(v):
    return '.'.join(str(x) for x in v)


def is_patched(v):
    return v >= FIXED


def run_cmd(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        out = (p.stdout or '') + ' ' + (p.stderr or '')
        return out.strip()
    except Exception:
        return ''


def windows_candidates():
    paths = []
    for base in [os.environ.get('ProgramFiles'), os.environ.get('ProgramFiles(x86)'), os.environ.get('LocalAppData')]:
        if not base:
            continue
        paths.append(os.path.join(base, 'Google', 'Chrome', 'Application', 'chrome.exe'))
    return [p for p in paths if p and os.path.exists(p)]


def mac_candidates():
    paths = [
        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
        os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),
    ]
    return [p for p in paths if os.path.exists(p)]


def linux_candidates():
    names = ['google-chrome', 'google-chrome-stable', 'chromium', 'chromium-browser']
    found = []
    for n in names:
        p = shutil.which(n)
        if p:
            found.append(p)
    return found


def get_versions_from_paths(paths):
    versions = []
    for p in paths:
        out = run_cmd([p, '--version'])
        v = parse_ver(out)
        if v:
            versions.append((p, v))
    return versions


def main():
    # Optional direct version input
    if len(sys.argv) == 3 and sys.argv[1] == '--chrome-version':
        v = parse_ver(sys.argv[2])
        if not v:
            print('UNKNOWN')
            sys.exit(2)
        if is_patched(v):
            print('PATCHED')
            sys.exit(0)
        else:
            print('VULNERABLE')
            sys.exit(1)

    system = platform.system().lower()
    candidates = []

    if system == 'windows':
        candidates = windows_candidates()
    elif system == 'darwin':
        candidates = mac_candidates()
    else:
        candidates = linux_candidates()

    versions = get_versions_from_paths(candidates)

    if not versions:
        print('UNKNOWN')
        sys.exit(2)

    vulnerable = []
    patched = []
    for path, ver in versions:
        if is_patched(ver):
            patched.append((path, ver))
        else:
            vulnerable.append((path, ver))

    # If any installed Chrome/Chromium found is below fixed, treat host as vulnerable.
    if vulnerable:
        print('VULNERABLE')
        sys.exit(1)
    else:
        print('PATCHED')
        sys.exit(0)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a standard-but-serious browser rollout, not a drop-everything zero-day. For a HIGH verdict the noisgate mitigation SLA is within 30 days, so use that window to enforce browser auto-update, block stale/unmanaged builds from sensitive apps, and tighten web-delivery controls; the noisgate remediation SLA is within 180 days, but for a ubiquitous endpoint app like Chrome you should operationally finish the actual browser upgrade to 149.0.7827.53+ in your next normal endpoint cycle rather than letting it age in backlog.

Sources

  1. NVD entry for CVE-2026-10963
  2. Google Chrome stable desktop release for version 149
  3. Chromium issue 511218177
  4. CISA Known Exploited Vulnerabilities Catalog
  5. Chromium multi-process architecture
  6. Chromium Chrome sandbox diagnostics for Windows
  7. FIRST EPSS overview
  8. FIRST EPSS API documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.