External risk intelligence

Google Chrome DigitalCredentials Sandbox Escape Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-12440

A "use after free" vulnerability in Google Chrome's DigitalCredentials component on Windows could allow a remote attacker to escape the browser's sandbox by tricking a user into visiting a malicious HTML page. This could potentially lead to unauthorized access to system resources or sensitive information.

Use After Free

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

This vulnerability exists within a client-side web browser application. While exploitation occurs via web content, the browser itself is a user-facing client application, not an internet-facing server, service, or gateway that is public-facing by design in a network infrastructure context.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Google Chrome on Windows related to a "use after free" flaw within DigitalCredentials. This could allow a remote attacker to potentially escape the browser's sandbox by luring a user to a malicious web page, posing a risk to system security.

Browser flaw allows sandbox escape.
Critical flaw may affect user systems.
Confirm relevance and user exposure.

Attack Path

How an attacker could exploit the issue

A remote attacker could exploit this vulnerability by tricking a user into visiting a malicious website. The attacker's crafted HTML page would then interact with the DigitalCredentials component within Google Chrome, leading to a use-after-free condition that could allow the attacker to escape the browser's sandbox.

No special access required.
Malicious HTML page.
Sandbox escape risk.

Live Threat

Current exploitation, exposure, and threat context

A use-after-free vulnerability in DigitalCredentials within Google Chrome on Windows could allow a remote attacker to escape the browser's sandbox. This could happen when a user visits a specially crafted HTML page, potentially leading to unauthorized access to system resources or sensitive information.

Sandbox escape to access system data.
Via a crafted HTML page.
Potential unauthorized system access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability resides in Google Chrome's DigitalCredentials component, impacting users on Windows. The initial step for impacted organizations is to identify all instances of the affected Chrome version, determine their business criticality and network exposure, and then assign an owner for remediation.

Chrome owners should confirm affected deployments.
Verify user exposure and business impact.
Plan remediation with vendor coordination.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-12440 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is PCI scan-relevant due to a potential sandbox escape vulnerability in Chrome, which could allow a remote attacker to perform an escape via a crafted HTML page.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Google Chrome DigitalCredentials?

DigitalCredentials is a component within the Google Chrome browser on Windows responsible for managing identity and authentication data. It acts as a bridge between the browser and secure system-level identity services. Like other browser features, it processes web content to facilitate tasks like signing into websites or verifying user identity, making it a critical part of the browser's interaction with the operating system.

What does use-after-free mean in CVE-2026-12440?

This vulnerability is a 'use-after-free' (CWE-416) memory error. It occurs when the software continues to use a memory location after it has been deleted or freed. Because the memory is no longer reserved for that specific purpose, an attacker can manipulate the data in that location. In this case, such manipulation allows the attacker to bypass Chrome's sandbox, which is the security boundary designed to keep malicious web content from harming the underlying Windows operating system.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by luring a user to visit a malicious HTML page designed to interact with the browser's DigitalCredentials component. It does not trigger through standard network services or background traffic; it requires active user interaction with the crafted content. If the user does not visit the specific malicious site, the vulnerable code path remains dormant, and the exploit cannot occur.

Do I need to worry about this if I don't host web servers?

According to Halo Surface Signal, this vulnerability affects a client-side browser, not a server-side application. Because Chrome is a user-facing tool, it does not fit the profile of an internet-facing server or gateway that is public-facing by design. Your primary concern should be the security of end-user devices running Chrome, rather than typical infrastructure network perimeters, as the risk is tied to where individuals browse.

When should I update Google Chrome?

You should prioritize updating Google Chrome to version 149.0.7827.155 or higher immediately. As a first step, verify your current browser version to confirm if you are on an affected release. Since this is a critical sandbox escape flaw, ensure that automated update mechanisms are functioning or push the update manually to all Windows workstations to mitigate the risk of unauthorized system access from malicious web pages.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.