Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15119

CVE-2026-15119: Google Chrome Sandbox Escape Vulnerability

CVE-2026-15119 is a sandbox escape flaw in Google Chrome's GetUserMedia that allows attackers with compromised renderer access to escape the sandbox. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-15119 Overview

CVE-2026-15119 is a race condition in the GetUserMedia implementation of Google Chrome prior to version 150.0.7871.115. An attacker who has already compromised the renderer process can exploit this flaw through a crafted HTML page to attempt a sandbox escape. Chromium security engineers rated the underlying issue as High severity. The weakness is classified under CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization. Successful exploitation moves an attacker out of the renderer sandbox and toward broader code execution on the host.

Critical Impact

A compromised renderer can win a race in GetUserMedia handling to escape the Chrome sandbox, enabling attackers to break the browser's core isolation boundary.

Affected Products

  • Google Chrome Desktop versions prior to 150.0.7871.115
  • Chromium-based browsers that inherit the vulnerable GetUserMedia code path
  • All supported desktop platforms (Windows, macOS, Linux) running affected Chrome builds

Discovery Timeline

  • 2026-07-08 - CVE-2026-15119 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-15119

Vulnerability Analysis

The flaw resides in Chrome's GetUserMedia API, which grants web pages access to microphones and cameras after user consent. Concurrent execution paths inside the media capture pipeline access shared state without adequate synchronization. An attacker who already controls the renderer process can time operations to interleave with privileged browser-process operations. Winning this race corrupts state that the broker process trusts, opening a path to sandbox escape.

The vulnerability requires a two-stage attack chain. Attackers must first achieve code execution inside the renderer through a separate bug, then use CVE-2026-15119 to break out of the sandbox. User interaction is required, which typically means visiting a malicious page and interacting with media prompts. Attack complexity is high because the attacker must reliably win the race window.

Root Cause

The root cause is improper synchronization [CWE-362] between threads or processes handling GetUserMedia requests. Shared resources tied to media stream negotiation are read or modified without consistent locking, allowing a Time-of-Check to Time-of-Use (TOCTOU) condition. The compromised renderer manipulates request state between validation and use in the browser process.

Attack Vector

Exploitation is network-reachable. An attacker delivers a crafted HTML page that first exploits a renderer bug, then triggers the racy GetUserMedia code path. The scope changes because a successful escape crosses the security boundary from renderer sandbox to the browser process context. Details of the specific race window are tracked in the Chromium Issue Tracker Entry.

No public proof-of-concept exploit is available at the time of publication. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-15119

Indicators of Compromise

  • Chrome renderer processes spawning unexpected child processes or writing to sensitive filesystem locations after visiting untrusted pages
  • Crash reports in Chrome referencing GetUserMedia, MediaStreamManager, or media capture components
  • Outbound connections to attacker infrastructure from chrome.exe shortly after media permission prompts
  • Chrome browser versions below 150.0.7871.115 reported by asset inventory systems

Detection Strategies

  • Inventory installed Chrome versions across the fleet and flag hosts below 150.0.7871.115
  • Monitor process trees for anomalous children of Chrome renderer or browser processes
  • Alert on Chrome processes accessing directories outside typical browser data paths
  • Correlate media device access events with subsequent unusual process or network activity

Monitoring Recommendations

  • Ingest browser telemetry and crash dumps into a centralized log platform for retrospective analysis
  • Track HTTP traffic to newly registered domains that request camera or microphone permissions
  • Enable enterprise browser reporting to capture extension activity and permission grants
  • Baseline normal renderer process behavior so deviations tied to sandbox escapes surface quickly

How to Mitigate CVE-2026-15119

Immediate Actions Required

  • Update Google Chrome to version 150.0.7871.115 or later on all endpoints
  • Restart the browser after patching to ensure the vulnerable process code is unloaded
  • Audit Chromium-based browsers (Edge, Brave, Opera, Vivaldi) and apply vendor updates that incorporate the upstream fix
  • Restrict installation of untrusted browser extensions that could aid renderer compromise

Patch Information

Google released the fix in the Stable channel update announced in the Google Chrome Desktop Update. Administrators should deploy Chrome 150.0.7871.115 or newer through managed update infrastructure. Enterprise environments using Chrome Browser Cloud Management can enforce the minimum version via policy.

Workarounds

  • Disable camera and microphone access at the operating system or policy level for users who do not require media capture
  • Use Chrome enterprise policies to block GetUserMedia on all origins except an allowlist
  • Deploy site isolation and strict permission prompts to reduce the attack surface from untrusted origins
  • Route browsing through remote browser isolation for high-risk user populations until patching completes
bash
# Enforce minimum Chrome version and restrict media capture via enterprise policy (Windows registry example)
reg add "HKLM\Software\Policies\Google\Chrome" /v AudioCaptureAllowed /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Google\Chrome" /v VideoCaptureAllowed /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Google\Chrome" /v AudioCaptureAllowedUrls /t REG_MULTI_SZ /d "https://trusted.example.com" /f
reg add "HKLM\Software\Policies\Google\Chrome" /v VideoCaptureAllowedUrls /t REG_MULTI_SZ /d "https://trusted.example.com" /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.