How is CVE-2026-10006 exploited?

Network reachability (required): The attacker must reach the victim over the network by hosting a crafted HTML page the victim's browser fetches remotely. Authentication (not-required): No authentication or account credentials are needed; any unauthenticated remote attacker can serve the malicious page. Victim interaction (required): The victim must actively visit the attacker-controlled HTML page, making this dependent on a social-engineering or malicious-redirect step. Attack complexity (info): Exploitation is rated high complexity because the attacker must win a timing race inside the browser process, which is sensitive to scheduling conditions and may require repeated attempts.

What is the impact of CVE-2026-10006?

Within the Chrome sandbox, the attacker gains the ability to execute arbitrary code, enabling full control over the sandboxed renderer process. Confidential data accessible to the renderer, such as page content, session state, and credentials entered in the browser, can be read by the attacker. The attacker can modify in-memory browser state and page content visible to the user, enabling tampering with rendered output. All three impact dimensions (confidentiality, integrity, availability) are rated HIGH, meaning the attacker can also crash or destabilize the affected renderer process.

Back to search

HIGHCVE-2026-10006Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-10006: Race in WebAudio in Google Chrome prior to 148

Race in WebAudio in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A race condition in the WebAudio component of Google Chrome prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the browser sandbox. Exploitation requires the attacker to serve a crafted HTML page that the victim must visit, and the attack must win a timing race within the browser process. Successful exploitation gives the attacker code execution within the Chrome sandbox, and a patched-image rebuild at 148.0.7778.216 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10006 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome or Chromium. Any image containing a Chrome version below 148.0.7778.216 is flagged automatically.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.5 (HIGH), weighted further by each customer environment's compliance policy to prioritize findings and route alerts to the appropriate team inbox within each organization.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs the configured regression suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by hosting a crafted HTML page the victim's browser fetches remotely.
AuthenticationNot required
No authentication or account credentials are needed; any unauthenticated remote attacker can serve the malicious page.
Victim interactionRequired
The victim must actively visit the attacker-controlled HTML page, making this dependent on a social-engineering or malicious-redirect step.
Attack complexityDetail
Exploitation is rated high complexity because the attacker must win a timing race inside the browser process, which is sensitive to scheduling conditions and may require repeated attempts.

Blast Radius

Within the Chrome sandbox, the attacker gains the ability to execute arbitrary code, enabling full control over the sandboxed renderer process.
Confidential data accessible to the renderer, such as page content, session state, and credentials entered in the browser, can be read by the attacker.
The attacker can modify in-memory browser state and page content visible to the user, enabling tampering with rendered output.
All three impact dimensions (confidentiality, integrity, availability) are rated HIGH, meaning the attacker can also crash or destabilize the affected renderer process.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below 148.0.7778.216 are matched against this CVE within minutes of publication and flagged with a HIGH severity finding weighted by your environment's compliance policy. A rebuild at the fixed version 148.0.7778.216 is available for any affected image. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes the configured regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not permitted by compliance policy, the finding is routed to the designated team inbox with remediation steps and the pinned fix version noted explicitly.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available