How is CVE-2026-10005 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the target to a crafted HTML page, so the Chrome instance must be reachable in the sense that the user must be able to browse to attacker-controlled content. Authentication (not-required): No account, session token, or prior credential is needed; the attack originates from an unauthenticated remote position via a web page. Victim interaction (required): The attacker must convince the user to perform specific UI gestures inside Chrome, making this a social-engineering-dependent exploit. Attack complexity (info): Attack complexity is rated High, meaning the exploit depends on precise timing, memory layout, or other environmental conditions that the attacker cannot fully control, reducing reliability.

What is the impact of CVE-2026-10005?

A successful attacker achieves arbitrary code execution inside the Chrome browser process on the affected Mac host. With code execution in the browser context, the attacker can read sensitive data accessible to Chrome, including saved passwords, cookies, and session tokens stored in the browser profile. The attacker can modify browser state, inject content into open tabs, or write files to locations the browser process has access to. The browser process crash or takeover can deny service to the user and any web applications running in that Chrome session.

Back to search

HIGHCVE-2026-10005Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-10005: Use after free in WebAppInstalls in Google Chrome on Mac prior to 148

Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability affects the WebAppInstalls component of Google Chrome on macOS in versions prior to 148.0.7778.216. The flaw is reachable over the network but requires an attacker to convince a user to perform specific UI gestures on a crafted HTML page; no prior authentication to Chrome or the system is needed. Successful exploitation gives the attacker arbitrary code execution in the context of the browser process. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-10005 is ingested from upstream advisory feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available

Triage

HarborGuard surfaces this CVE with its CVSS 3.1 score of 7.5 (High) and applies per-environment compliance policy weighting to prioritize and route alerts to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the target to a crafted HTML page, so the Chrome instance must be reachable in the sense that the user must be able to browse to attacker-controlled content.
AuthenticationNot required
No account, session token, or prior credential is needed; the attack originates from an unauthenticated remote position via a web page.
Victim interactionRequired
The attacker must convince the user to perform specific UI gestures inside Chrome, making this a social-engineering-dependent exploit.
Attack complexityDetail
Attack complexity is rated High, meaning the exploit depends on precise timing, memory layout, or other environmental conditions that the attacker cannot fully control, reducing reliability.

Blast Radius

A successful attacker achieves arbitrary code execution inside the Chrome browser process on the affected Mac host.
With code execution in the browser context, the attacker can read sensitive data accessible to Chrome, including saved passwords, cookies, and session tokens stored in the browser profile.
The attacker can modify browser state, inject content into open tabs, or write files to locations the browser process has access to.
The browser process crash or takeover can deny service to the user and any web applications running in that Chrome session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10005 is active across all customer registries and pipelines the moment the advisory is ingested, with no manual configuration required. For environments where affected images are identified, a rebuild pinned to Chrome 148.0.7778.216 is queued automatically. Where compliance policy permits auto-remediation, the full flow runs without manual steps: the image is rebuilt, a regression test run is executed against the patched image, and a pull request is opened against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR for environments with auto-remediation enabled is around 90 minutes. Teams that review remediations manually will find the patched rebuild staged and ready in HarborGuard alongside the full CVSS detail and affected image list needed to prioritize the fix.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available