CVE-2026-40369

2 posts

The sandbox was never the hard part

CVE-2026-40369 is a 12-byte Mojo IPC overflow in Chromium that converts renderer RCE into browser-process code execution on the host.

May 23, 2026

Article

Twelve bytes walked out of the sandbox

CVE-2026-40369 reduced a browser sandbox escape to twelve bytes. Analysis of what failed, why it failed, and what must change at the architecture layer.

May 22, 2026