Skip to content
Auto-CTI
Back to today
NEW CRITICAL A3

CVE-2026-12008: Use-After-Free in DigitalCredentials in Google Chrome prior to 149.0.7827.115 allows sandbox escape

A NVD · · CVE-2026-12008

Admiralty grading (A–F · 1–6)

Source reliability

  • A Completely reliable
  • B Usually reliable
  • C Fairly reliable
  • D Not usually reliable
  • E Unreliable
  • F Cannot be judged

Information credibility

  • 1 Confirmed
  • 2 Probably true
  • 3 Possibly true
  • 4 Doubtful
  • 5 Improbable
  • 6 Cannot be judged

NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.

Key metrics

EPSS
0%

Key insight

A sandbox escape in Google Chrome's renderer process enables attack-chain escalation if an attacker already controls renderer-process code execution.

Description

CVE-2026-12008 is a use-after-free vulnerability in the DigitalCredentials feature of Google Chrome prior to version 149.0.7827.115. An attacker with a compromised renderer process can potentially escape the Chrome sandbox and gain operating-system-level access through a crafted HTML page. The vulnerability is rated as critical and enables privilege escalation following renderer compromise. Patches are available in Chrome 149.0.7827.115 and later.

Risk score

54
cvss base
45.00
kev bonus
0.00
epss bonus
0.00
poc bonus
0.00
raw before weight
45.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00

Path: operational

MITRE ATT&CK mapping

2 TTPs
Recon
Resource Dev
Initial Access
Execution
T1203 Exploitation for Client Execution
Persistence
Priv. Escal.
Def. Evasion
T1211 Exploitation for Defense Evasion
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Impact
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1203
Exploitation for Client Execution
 Execution A crafted HTML page exploits a use-after-free vulnerability (CVE-2026-12008) in the DigitalCredentials component of Google Chrome prior to 149.0.7827.115 to achieve code execution within the renderer process. high llm
T1211
Exploitation for Defense Evasion
 Defense Evasion The use-after-free vulnerability in Chrome's DigitalCredentials allows an attacker who has compromised the renderer process to escape the Chrome sandbox, bypassing the browser's security isolation mechanisms. high llm
ESC