CVE-2026-10972 · Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

01 · The Real Story

This is a loaded trapdoor in the Linux Chrome UI stack, not a worm ripping through the network

CVE-2026-10972 is a CWE-416 use-after-free in Chrome's Ozone platform layer on Linux. Per the advisory, Google Chrome on Linux before 149.0.7827.53 is affected, and a remote attacker can trigger the bug with a crafted HTML page to *potentially* achieve a sandbox escape. That matters because Ozone sits in the Linux windowing/display path, so this is not just tab crash territory; the stated impact crosses the browser sandbox boundary.

The vendor's 9.6 CRITICAL score is technically defensible in a vacuum because sandbox escape from web content is premium exploit real estate. In real enterprise deployments, though, the score overstates operational urgency: the bug is Linux-only, still needs user interaction to load attacker-controlled content, has no KEV listing, no public PoC/tooling, and an EPSS of 0.035% (11th percentile). That is still a real patch priority, just not a lights-on-fire emergency.

"Serious browser-to-host risk, but Linux-only scope, user interaction, and zero exploitation evidence keep this out of CRITICAL."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on a malicious page

The attacker needs the target to browse to attacker-controlled HTML/JavaScript in Chrome on Linux. The weaponized tool here is a custom exploit page; there is no public exploit kit or PoC referenced in the advisory trail. This is classic browser exploitation delivery: phishing link, malvertising, or compromised site.

Conditions required:

Target uses Google Chrome on Linux
Version is earlier than 149.0.7827.53
User opens attacker-controlled or attacker-influenced web content

Where this breaks in practice:

Requires user interaction (UI:R), so it is not self-propagating
Linux Chrome is a narrower enterprise population than Windows/macOS desktop fleets
URL filtering, browser isolation, or remote browsing can cut off the delivery stage

Detection/coverage: Generic vuln scanners can flag outdated Chrome versions, but they do not prove exploit reachability. Secure web gateways, DNS filtering, and browser telemetry are better at detecting the delivery step than network scanners.

STEP 02

Trigger memory corruption in Ozone

Once the page loads, the attacker drives a browser code path that hits the use-after-free in Ozone. The weaponized component remains the same private exploit page, likely using crafted DOM/UI/rendering interactions to produce a dangling pointer and controlled heap state. Successful exploitation depends on achieving a stable corruption primitive rather than just a renderer crash.

Conditions required:

Victim is on Linux where Ozone code paths are in play
Exploit reliably reaches the vulnerable Ozone lifecycle condition
Browser mitigations do not turn the bug into a harmless crash

Where this breaks in practice:

Modern Chrome hardening makes turning UAF into stable code execution materially harder
Advisory language says 'potentially' perform a sandbox escape, which implies exploitability was not described as trivial
No public exploit details or bug internals are available because Chromium issue details are restricted

Detection/coverage: Crash telemetry, renderer/browser process faults, and EDR detections on anomalous child process behavior can surface failed or noisy attempts. Traditional perimeter scanners have no visibility into this step.

STEP 03

Cross the sandbox boundary

The stated impact is sandbox escape, meaning the attacker aims to move from web-content compromise into a more privileged browser or host context. The weaponized chain is still a private exploit chain rather than a named public tool. This is the step that justifies taking the bug seriously: browser sandbox escapes are far more dangerous than renderer-only bugs.

Conditions required:

The memory corruption primitive is strong enough to cross security boundaries
The local browser sandbox and host mitigations do not block the chain
Target is running the vulnerable Linux build

Where this breaks in practice:

A sandbox escape is a higher bar than a renderer crash or same-process RCE
Host hardening, seccomp/AppArmor policies, and browser sandboxing reduce success rates in real environments
Linux desktop populations are often smaller and more managed in enterprise

Detection/coverage: EDR on Linux, auditd/process ancestry monitoring, and browser crash analytics are the best bets. Vulnerability scanners usually stop at version detection and cannot confirm exploit chaining.

STEP 04

Act on the endpoint

If the chain succeeds, the attacker can execute follow-on actions in the user context or whatever context the sandbox escape reaches. At that point the browser bug has become an endpoint compromise problem, and the attacker's next tools are standard post-exploitation tradecraft rather than anything unique to this CVE. The blast radius is the endpoint and user session, not an internet-facing service farm.

Conditions required:

Exploit chain completes successfully
Endpoint lacks controls that stop post-exploitation behavior

Where this breaks in practice:

EDR, application control, and least-privilege reduce post-exploitation usefulness
Compromise is per-user/per-endpoint, not a one-shot server-side fleet compromise

Detection/coverage: Strong EDR coverage should catch unusual process launches, persistence attempts, credential access, or outbound C2. This is where mature endpoint tooling should start paying for itself.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative exploitation evidence found in the sources reviewed. Not KEV-listed as of this assessment; treat as serious but not observed-active.
PoC availability	No public PoC or exploit repo was identified in the advisory chain. The Chromium issue is restricted, which is normal for fresh browser memory-corruption bugs.
EPSS	0.035% (11th percentile) per GHSA; that is low predicted near-term exploitation pressure, not zero risk.
KEV status	Not listed in CISA's Known Exploited Vulnerabilities Catalog at time of assessment.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` — the high score comes from network delivery plus scope change and full impact, but the required user interaction is real friction.
Affected versions	Per GHSA and Google's stable release post, Google Chrome on Linux prior to `149.0.7827.53`.
Fixed version	Upgrade Linux Chrome to `149.0.7827.53` or later. For enterprise Linux repos that repackage Chromium/Chrome, verify distro backports rather than relying only on upstream version naming.
Exposure and scanning reality	Inference from product type: this is a client-side browser flaw, so Shodan/Censys/FOFA exposure metrics are basically useless; they do not enumerate enterprise desktop browser patch levels. Your real exposure is the count of managed Linux endpoints still below `149.0.7827.53`.
Disclosure timeline	Google's desktop stable update shipped on 2026-06-02; GHSA was published on 2026-06-05; the Chrome release notes list the bug as reported on 2026-05-14.
Reporter / source	Reported by Google according to the Chrome release post. Chromium tagged it High severity, while GHSA/NVD-style scoring surfaced a 9.6 Critical CVSS.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.2/10)

The decisive factor is that exploitation still starts with client-side user interaction on Linux Chrome, not unauthenticated reach into an internet-facing service. The impact is severe if chained successfully, but the reachable population and observed threat pressure are both meaningfully narrower than the vendor's raw CVSS implies.

HIGH Affected version and fixed-version mapping

MEDIUM Real-world exploitability without public technical details

HIGH Downgrade rationale driven by Linux-only scope, UI requirement, and lack of exploitation evidence

Why this verdict

Started from vendor 9.6: sandbox escape from crafted web content is inherently dangerous and deserves a high baseline
First downward adjustment — user interaction: the attacker must get a user onto malicious content (UI:R), which removes wormability and cuts opportunistic reach
Second downward adjustment — Linux-only scope: this is not a whole-enterprise Chrome event unless you actually run a meaningful Linux desktop fleet
Third downward adjustment — no active exploitation signal: no KEV entry, no public campaign references, and an EPSS of 0.035% / 11th percentile argue against emergency-tier pressure
Fourth downward adjustment — no public weaponization: no public PoC or exploit tool lowers copycat risk and mass-abuse speed
Why it stays HIGH: browser sandbox escape is still premium attacker payoff, and Chrome is widely used wherever Linux endpoints exist

Why not higher?

This is not an unauthenticated, server-side, internet-facing service flaw that an attacker can hit at scale without help from a user. The combination of Linux-only targeting, required browsing interaction, and no exploitation evidence strips away the conditions that usually justify a noisgate CRITICAL verdict.

Why not lower?

A browser sandbox escape is materially more dangerous than a renderer-only crash or a cosmetic client bug. If you have Linux endpoints browsing untrusted content, the bug can plausibly turn a web visit into endpoint compromise, so pushing it down to MEDIUM would understate the host impact.

05 · Compensating Control

What to do — in priority order.

Force the upgraded browser build — Push Chrome 149.0.7827.53 or later through your Linux package/channel controls and block older builds from lingering. For a HIGH verdict, deploy this control within 30 days while you complete full remediation.
Restrict untrusted browsing on Linux endpoints — Use secure web gateway policy, remote browser isolation, or VDI/jump-host patterns for high-risk browsing populations so commodity phishing pages do not reach local Chrome directly. This is the best temporary blast-radius reduction and should be in place within 30 days if patch rollout is staggered.
Hunt for outdated Linux Chrome installs — Inventory by package manager, EDR software catalog, or config management rather than waiting for network scanners. Your exposure metric is the number of Linux endpoints below 149.0.7827.53; complete that identification within 30 days.
Watch Linux browser crash and child-process telemetry — Alert on repeated Chrome crashes, suspicious descendants of the browser, and odd browser-to-shell/process execution patterns. It will not prevent exploitation, but it gives you a fighting chance to catch attempts while patching, and should be enabled within 30 days.

What doesn't work

A WAF does not help; this is a client browser parsing/execution bug, not a flaw in your web app.
Simple perimeter vulnerability scanning is weak coverage; scanners do not see endpoint browser patch state reliably and cannot validate exploitability.
Relying on email security alone is incomplete; delivery can come from malvertising, compromised sites, chat links, docs, or any browser-driven path.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux endpoint or through your fleet agent/SSH automation. Invoke it as bash check_cve_2026_10972.sh with no special privileges required for version checks; example: ssh user@host 'bash -s' < check_cve_2026_10972.sh.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_10972.sh
# Detects likely exposure to CVE-2026-10972 on Linux Chrome/Chromium installs.
# Outputs exactly one of: VULNERABLE, PATCHED, UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

FIXED_VERSION="149.0.7827.53"

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

normalize_ver() {
  echo "$1" | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -n1
}

get_bin_version() {
  local bin="$1"
  if command -v "$bin" >/dev/null 2>&1; then
    "$bin" --version 2>/dev/null | head -n1
    return 0
  fi
  return 1
}

CANDIDATES=(
  google-chrome
  google-chrome-stable
  chromium
  chromium-browser
  /opt/google/chrome/chrome
  /usr/bin/google-chrome
  /usr/bin/google-chrome-stable
  /usr/bin/chromium
  /usr/bin/chromium-browser
)

found_name=""
found_raw_ver=""
found_ver=""

for c in "${CANDIDATES[@]}"; do
  raw="$(get_bin_version "$c")" || continue
  ver="$(normalize_ver "$raw")"
  if [ -n "$ver" ]; then
    found_name="$c"
    found_raw_ver="$raw"
    found_ver="$ver"
    break
  fi
done

# Fallback to package manager queries if binary lookup failed
if [ -z "$found_ver" ]; then
  if command -v dpkg-query >/dev/null 2>&1; then
    for pkg in google-chrome-stable google-chrome chromium chromium-browser; do
      raw="$(dpkg-query -W -f='${Version}\n' "$pkg" 2>/dev/null | head -n1)"
      ver="$(normalize_ver "$raw")"
      if [ -n "$ver" ]; then
        found_name="$pkg"
        found_raw_ver="$raw"
        found_ver="$ver"
        break
      fi
    done
  fi
fi

if [ -z "$found_ver" ]; then
  if command -v rpm >/dev/null 2>&1; then
    for pkg in google-chrome-stable google-chrome chromium chromium-browser; do
      raw="$(rpm -q --qf '%{VERSION}-%{RELEASE}\n' "$pkg" 2>/dev/null | head -n1)"
      ver="$(normalize_ver "$raw")"
      if [ -n "$ver" ]; then
        found_name="$pkg"
        found_raw_ver="$raw"
        found_ver="$ver"
        break
      fi
    done
  fi
fi

if [ -z "$found_ver" ]; then
  echo "UNKNOWN"
  echo "No Chrome/Chromium version could be determined on this host." >&2
  exit 2
fi

# Advisory text is for Google Chrome on Linux. Chromium package builds may carry distro backports.
# If Chromium is detected, version-only checks may over-report risk; verify distro backport status.
case "$found_name" in
  chromium|chromium-browser|/usr/bin/chromium|/usr/bin/chromium-browser)
    if ver_lt "$found_ver" "$FIXED_VERSION"; then
      echo "UNKNOWN"
      echo "Detected Chromium-style build: $found_name ($found_raw_ver). Version is below upstream fixed version, but distro backports may already include the fix. Verify vendor package changelog." >&2
      exit 2
    else
      echo "PATCHED"
      echo "Detected Chromium-style build: $found_name ($found_raw_ver). Version is at or above upstream fixed version." >&2
      exit 0
    fi
    ;;
esac

if ver_lt "$found_ver" "$FIXED_VERSION"; then
  echo "VULNERABLE"
  echo "Detected $found_name version $found_ver, which is earlier than fixed version $FIXED_VERSION." >&2
  exit 1
else
  echo "PATCHED"
  echo "Detected $found_name version $found_ver, which is at or above fixed version $FIXED_VERSION." >&2
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify every Linux endpoint running Chrome below 149.0.7827.53, force-update managed channels, and put high-risk Linux browsing behind web filtering or browser isolation where rollout lags. For this HIGH verdict, the noisgate mitigation SLA is within 30 days and the noisgate remediation SLA is within 180 days; because there is no KEV or active exploitation evidence, this is a strong scheduled priority rather than an hours-level emergency.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.