Integer overflow in V8 in Google Chrome prior to 149

CVE-2026-10987 is described as an integer overflow in V8, Chrome's JavaScript engine, affecting Google Chrome versions prior to 149.0.7827.53. The stated outcome is arbitrary code execution *inside the Chrome sandbox* after a user is lured to attacker-controlled web content; the public description appears truncated, but Chrome V8 bugs of this class are typically triggered via a crafted HTML or script payload rendered by the browser.

Google's HIGH 8.8 baseline is understandable for a remote browser memory-corruption bug, but it overstates enterprise impact if read as host compromise. The decisive reality check is that the bug lands code execution in a renderer sandbox, not native OS-level execution, and there is no current KEV listing, no cited in-the-wild exploitation, and the provided EPSS signal is extremely low. That pushes this down from emergency to disciplined fleet hygiene.

Why this verdict

• Downgrade for sandbox-only impact: the public description says arbitrary code execution occurs *inside a sandbox*, which is materially below direct host RCE.
• Downgrade for user-interaction dependence: this is a browser bug that still needs the victim to render attacker-controlled content, so reach depends on phishing, malvertising, or site compromise.
• Downgrade for low threat signal: no KEV listing, no public in-the-wild reporting found, and the supplied EPSS 0.0008 is very low.
• Baseline remains meaningful because exposure is broad: Chrome is ubiquitous and attacker-controlled web content is easy to deliver, so this is not LOW.
• Exploit development is non-trivial in practice: renderer memory-corruption exploits are version-sensitive and modern V8/browser hardening increases real-world friction.

Why not higher?

To justify HIGH or CRITICAL here, I would want either evidence of active exploitation, a demonstrated sandbox escape chain, or a public description showing unsandboxed/native code execution on the host. We have none of those. The public description narrows impact to the renderer sandbox, which is exactly the kind of friction that should push a score down.

Why not lower?

This is still a remotely reachable browser memory-corruption bug in one of the most exposed applications in the enterprise. Attackers do not need credentials, and security controls do not reliably prevent a user from eventually loading hostile web content. Even sandboxed renderer code execution is too much attacker capability to dismiss as mere backlog noise.

1. Force browser auto-update compliance — Use Chrome enterprise policy, your software deployment platform, or EDR software management to ensure endpoints actually move to 149.0.7827.53 or later. For a MEDIUM noisgate verdict there is no mitigation SLA — go straight to the 365-day remediation window, but for browsers you should still clean up non-updating stragglers in the current maintenance cycle because exposure is universal.
2. Reduce untrusted web exposure — Tighten safe-browsing posture, DNS\/URL filtering, ad blocking, and remote browser isolation for high-risk user groups to reduce the chance of hostile content ever reaching a vulnerable renderer. This is a sensible risk reducer while patch coverage catches up; for MEDIUM, there is no noisgate mitigation SLA, so apply as standard hardening rather than emergency change.
3. Harden browser execution paths — Block unsupported extensions, restrict developer mode, and enforce exploit protection\/EDR policies around browser child-process behavior. These controls do not fix the bug, but they can reduce post-exploitation options if a renderer is compromised before the patch lands within the 365-day remediation window.
4. Prioritize high-risk user cohorts — Patch admins, finance, executives, developers, researchers, and users with heavy external web exposure first because they are the most likely to encounter targeted content. Even with a MEDIUM verdict, targeted-phishing populations deserve accelerated operational attention.

Run this on the target Windows endpoint or via your endpoint management tool as the logged-in user or an administrator; admin rights are not strictly required for local version checks. Invoke with powershell -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-10987.ps1 and it will inspect common Chrome install locations and output VULNERABLE, PATCHED, or UNKNOWN.

# check-chrome-cve-2026-10987.ps1\n# Exit codes:\n#   0 = PATCHED\n#   1 = VULNERABLE\n#   2 = UNKNOWN\n\n$ErrorActionPreference = 'Stop'\n$fixedVersion = [version]'149.0.7827.53'\n\nfunction Get-ChromeVersion {\n    $candidates = @(\n        "$Env:ProgramFiles\\Google\\Chrome\\Application\\chrome.exe",\n        "$Env:ProgramFiles(x86)\\Google\\Chrome\\Application\\chrome.exe",\n        "$Env:LocalAppData\\Google\\Chrome\\Application\\chrome.exe"\n    )\n\n    foreach ($path in $candidates) {\n        if (Test-Path $path) {\n            try {\n                $item = Get-Item $path\n                if ($item.VersionInfo -and $item.VersionInfo.ProductVersion) {\n                    return [pscustomobject]@{\n                        Path = $path\n                        Version = $item.VersionInfo.ProductVersion\n                    }\n                }\n            }\n            catch {\n                continue\n            }\n        }\n    }\n\n    return $null\n}\n\ntry {\n    $chrome = Get-ChromeVersion\n\n    if (-not $chrome) {\n        Write-Output 'UNKNOWN: Google Chrome not found in common install paths'\n        exit 2\n    }\n\n    try {\n        $installedVersion = [version]$chrome.Version\n    }\n    catch {\n        Write-Output ("UNKNOWN: Unable to parse Chrome version '{0}' at {1}" -f $chrome.Version, $chrome.Path)\n        exit 2\n    }\n\n    if ($installedVersion -lt $fixedVersion) {\n        Write-Output ("VULNERABLE: Chrome {0} at {1} is older than fixed version {2}" -f $installedVersion, $chrome.Path, $fixedVersion)\n        exit 1\n    }\n    else {\n        Write-Output ("PATCHED: Chrome {0} at {1} is at or above fixed version {2}" -f $installedVersion, $chrome.Path, $fixedVersion)\n        exit 0\n    }\n}\ncatch {\n    Write-Output ("UNKNOWN: {0}" -f $_.Exception.Message)\n    exit 2\n}\n

Sources

1. Google Chrome Releases - Early Stable Update for Desktop (149.0.7827.53\/.54)
2. Google Chrome Releases - May 2026 archive showing 149.0.7827.53 early stable rollout
3. Chromium source tags showing `149.0.7827.53` exists
4. Chrome for Developers - Early stable release schedule explanation
5. CISA Known Exploited Vulnerabilities Catalog
6. FIRST EPSS overview
7. FIRST EPSS FAQ
8. VulDB entry mirroring the public CVE description for CVE-2026-10987