How is CVE-2026-10009 exploited?

Network reachability (required): The attacker delivers a crafted HTML page over the network, so the affected Chrome instance must be reachable or able to fetch remote content from an attacker-controlled origin. Authentication (not-required): No account or credential is needed; the attack is initiated entirely through a webpage any unauthenticated user can visit. Victim interaction (required): The target user must open or be directed to a crafted HTML page, requiring a social-engineering or phishing step to trigger the exploit. Attack complexity (info): Attack complexity is high; the attacker must first have compromised the renderer process through a separate vulnerability before this integer overflow can be leveraged for code execution.

What is the impact of CVE-2026-10009?

Executes arbitrary code inside the Chrome sandbox, giving the attacker control over the renderer process's full execution context. Reads sensitive in-memory data accessible to the renderer, including page content, credentials autofilled on the current page, and session tokens. Modifies in-memory state and rendered output, enabling tampering with page content or in-browser data before it reaches the user. Crashes or destabilizes the affected renderer process, disrupting the user's browsing session and any associated real-time functionality.

Back to search

HIGHCVE-2026-10009Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-10009: Integer overflow in Skia in Google Chrome prior to 148

Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

An integer overflow in Skia, the graphics library embedded in Google Chrome, allows a remote attacker who has already compromised the renderer process to execute arbitrary code within the browser sandbox. The vulnerability is reachable over the network and requires no authentication, but the attacker must trick a user into visiting a crafted HTML page and must already control the renderer process, making this a chained or multi-stage exploit. Successful exploitation achieves full code execution inside the sandbox, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-10009 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle or vendor Chrome or Chromium.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and surfaces it alongside per-environment compliance policy weighting to determine routing priority; findings are directed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 is available for any image HarborGuard identifies as running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers a crafted HTML page over the network, so the affected Chrome instance must be reachable or able to fetch remote content from an attacker-controlled origin.
AuthenticationNot required
No account or credential is needed; the attack is initiated entirely through a webpage any unauthenticated user can visit.
Victim interactionRequired
The target user must open or be directed to a crafted HTML page, requiring a social-engineering or phishing step to trigger the exploit.
Attack complexityDetail
Attack complexity is high; the attacker must first have compromised the renderer process through a separate vulnerability before this integer overflow can be leveraged for code execution.

Blast Radius

Executes arbitrary code inside the Chrome sandbox, giving the attacker control over the renderer process's full execution context.
Reads sensitive in-memory data accessible to the renderer, including page content, credentials autofilled on the current page, and session tokens.
Modifies in-memory state and rendered output, enabling tampering with page content or in-browser data before it reaches the user.
Crashes or destabilizes the affected renderer process, disrupting the user's browsing session and any associated real-time functionality.

How HarborGuard Handles This

Available on HarborGuard: any image containing Chrome prior to 148.0.7778.216 is flagged immediately upon CVE ingestion. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, executes regression tests, and opens a pull request against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who manage patching manually, HarborGuard surfaces the finding with CVSS context and a direct reference to the fix version so the upgrade can be prioritized and tracked through the compliance dashboard. Until a patched image is deployed, consider restricting or disabling browser-based workloads that render untrusted HTML, and applying network policy controls to limit outbound connections from affected containers to known-safe origins.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available