Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1913+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-15773: Chrome Use-After-Free Sandbox Escape (CVSS 9.6)
CVE-2026-15773: Chrome Use-After-Free Sandbox Escape (CVSS 9.6)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-15773

CVE-2026-15773: Chrome Use-After-Free Sandbox Escape (CVSS 9.6)

A critical use-after-free vulnerability in Google Chrome's Core component on Windows allows remote attackers to escape the browser sandbox via a crafted HTML page. Patch to Chrome 150.0.7871.125 immediately.

Dylan H.

Security Team

July 15, 2026
4 min read

Affected Products

  • Google Chrome < 150.0.7871.125 (Windows)

Executive Summary

Google patched CVE-2026-15773 on July 14, 2026 — a critical use-after-free vulnerability in Chrome's Core component affecting Windows systems. With a CVSS 3.1 score of 9.6 (Critical), this flaw allows a remote unauthenticated attacker to potentially escape the Chrome sandbox by luring a victim to a crafted HTML page.

The vulnerability was one of 15 security fixes bundled in Chrome stable release 150.0.7871.124/125, which also addressed two other critical Use-After-Free issues (CVE-2026-15764 and CVE-2026-15765 in the Ozone component). No in-the-wild exploitation has been confirmed at the time of disclosure.

All Chrome users on Windows should update immediately.


Vulnerability Details

Root Cause

CVE-2026-15773 is a Use-After-Free (CWE-416) memory corruption bug in Chrome's Core component, Windows-specific. Use-after-free flaws occur when a program continues to use a pointer after the memory it references has been freed:

  1. A Core object is allocated during page rendering
  2. The object is freed under a specific sequence of operations
  3. The freed memory region is subsequently referenced
  4. An attacker-controlled value occupies the freed memory slot
  5. The attacker achieves controlled code execution within the renderer

Because this vulnerability crosses the sandbox boundary, successful exploitation could grant an attacker the ability to execute code outside the renderer's sandboxed process — equivalent to a full sandbox escape on Windows.

CVSS Vector

MetricValue
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired (visit crafted page)
ScopeChanged
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh
CVSS 3.1 Score9.6 Critical

The Changed scope is what drives the severity to 9.6 — the exploit escapes the sandboxed renderer process and can affect resources outside it.


Affected Versions

PlatformVulnerable VersionsFixed Version
WindowsChrome < 150.0.7871.125150.0.7871.124/.125
macOSChrome < 150.0.7871.124150.0.7871.124
LinuxChrome < 150.0.7871.124150.0.7871.124

Note: The Windows-specific sandbox escape (CVSS 9.6) applies only to Windows builds. The vulnerability may exist cross-platform but the sandbox escape primitive is Windows-specific per the advisory.

Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) share Chrome's rendering engine and may be affected. Monitor their respective security advisories for patches.


Threat Context

CVE-2026-15773 was discovered and responsibly disclosed by xinchaotian of Microsoft on June 25, 2026 — roughly 19 days before Google's patch. This is part of Chrome's broader July 2026 security update which bundled:

  • 2 Critical Use-After-Free issues (including this CVE)
  • 12 High severity issues
  • 1 Medium issue

No active exploitation has been confirmed by Google, CISA, or third-party threat intelligence sources as of July 15, 2026. The Chromium bug tracker entry remains restricted (non-public), which is standard practice while the patch propagates.


Immediate Remediation

Update Chrome (Priority Action)

  1. Open Chrome and navigate to chrome://settings/help
  2. Chrome will automatically detect and download the latest version
  3. Click Relaunch to complete the update
  4. Verify: you should see version 150.0.7871.125 or later on Windows

Enterprise Deployment

# Force Chrome update via Google Update (Windows)
$updatePath = "HKLM:\SOFTWARE\Policies\Google\Update"
Set-ItemProperty -Path $updatePath `
  -Name "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" `
  -Value 1
 
# Trigger immediate update check
& "C:\Program Files\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
# Linux — update via package manager
sudo apt update && sudo apt upgrade google-chrome-stable
 
# macOS — update via brew if applicable
brew upgrade --cask google-chrome

If Patching Is Delayed

  • Enable Site Isolation: verify at chrome://flags/#enable-site-per-process (enabled by default in modern Chrome)
  • Enable Enhanced Safe Browsing: Settings → Privacy and Security → Security → Enhanced protection
  • Restrict untrusted browsing: limit access to known-good sites during the patch window
  • Block unknown HTML payloads at the network perimeter where feasible

Detection Guidance

Signs of Exploitation Attempt

Use-after-free exploitation often produces abnormal renderer crashes. Monitor for:

  • Chrome renderer process (chrome.exe --type=renderer) crashing unexpectedly
  • Windows Event Log: Application crashes for chrome.exe with access violation exceptions
  • Chrome crash dumps in %LocalAppData%\Google\Chrome\User Data\Crashpad\reports\
  • Unexpected child process spawning from chrome.exe outside normal patterns

Network Indicators

  • Visits to recently registered domains delivering complex or obfuscated HTML/JS
  • Large inline HTML or script payloads from untrusted external sources
  • Unexpected outbound connections from the Chrome process to unknown IPs shortly after page load

Timeline

DateEvent
June 25, 2026xinchaotian (Microsoft) reports vulnerability to Google
July 14, 2026Google releases Chrome 150.0.7871.124/.125 with fix
July 14, 2026CVE-2026-15773 published to NVD
July 15, 2026CISA-ADP CVSS 9.6 assessment published

References

  • NVD — CVE-2026-15773
  • Google Chrome Releases Blog
  • CWE-416: Use After Free
#Google Chrome#CVE-2026-15773#Use-After-Free#Sandbox Escape#Windows#Browser Security

Related Articles

Google Patches First Chrome Zero-Day of 2026: CVE-2026-2441

Google has patched CVE-2026-2441, a high-severity use-after-free vulnerability in Chrome's CSS component that has been actively exploited — the first...

4 min read

Google Chrome GPU Use-After-Free Sandbox Escape

A CVSS 9.6 critical use-after-free vulnerability in the GPU component of Google Chrome prior to 147.0.7727.138 allows a remote attacker to potentially...

6 min read

Google Chrome Use-After-Free Zero-Day Under Active

A high-severity use-after-free vulnerability in Chrome's CSS engine is being actively exploited in the wild. Google's first in-the-wild Chrome zero-day of...

3 min read
Back to all Security Alerts