How is CVE-2026-10020 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target device must be reachable or the user must browse to an attacker-controlled resource over the internet. Authentication (not-required): No account credentials or prior authentication are needed; the attacker operates as an unauthenticated remote party. Victim interaction (required): The victim must visit or be redirected to a crafted HTML page, making this a social-engineering-dependent attack. Attack complexity (info): Exploitation is rated high complexity because the attacker must already have compromised the renderer process before the sandbox escape step, introducing a significant prerequisite condition.

What is the impact of CVE-2026-10020?

An attacker who successfully escapes the sandbox gains code execution outside Chrome's sandboxed renderer, bypassing the isolation boundary intended to contain browser-level compromises. Confidential data accessible to the Chrome process on the device, including stored credentials, cookies, and session tokens, becomes readable to the attacker. The attacker gains the ability to write to or modify data on the device at the privilege level of the Chrome process, enabling persistent file-system changes. The attacker can crash or disrupt the Chrome process and potentially other device services reachable from the escaped sandbox context.

Back to search

HIGHCVE-2026-10020Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-10020: Insufficient validation of untrusted input in Skia in Google Chrome on Android prior to 148

Insufficient validation of untrusted input in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a sandbox escape vulnerability in the Skia graphics library within Google Chrome on Android, affecting versions prior to 148.0.7778.216. It is reachable over the network and requires no authentication, but does require a victim to interact with a crafted HTML page, and the attacker must have already compromised the renderer process. Successful exploitation allows the attacker to break out of the Chrome sandbox and execute code with elevated privileges on the host device. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10020 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built Android container images that bundle Chrome. Coverage extends to images in both registered repositories and active CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (HIGH) and weighting it against each environment's compliance policy to determine urgency and routing. Triage results are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome version 148.0.7778.216 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target device must be reachable or the user must browse to an attacker-controlled resource over the internet.
AuthenticationNot required
No account credentials or prior authentication are needed; the attacker operates as an unauthenticated remote party.
Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, making this a social-engineering-dependent attack.
Attack complexityDetail
Exploitation is rated high complexity because the attacker must already have compromised the renderer process before the sandbox escape step, introducing a significant prerequisite condition.

Blast Radius

An attacker who successfully escapes the sandbox gains code execution outside Chrome's sandboxed renderer, bypassing the isolation boundary intended to contain browser-level compromises.
Confidential data accessible to the Chrome process on the device, including stored credentials, cookies, and session tokens, becomes readable to the attacker.
The attacker gains the ability to write to or modify data on the device at the privilege level of the Chrome process, enabling persistent file-system changes.
The attacker can crash or disrupt the Chrome process and potentially other device services reachable from the escaped sandbox context.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against customer images within minutes of advisory publication, covering any image that packages a version of Chrome for Android prior to 148.0.7778.216. For customers who opt into auto-remediation, HarborGuard initiates a patched-image rebuild at the fixed version, executes the configured regression test run, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuild artifact and a prioritized triage ticket are queued for the responsible team. Because this exploit requires a pre-compromised renderer in addition to victim interaction, teams without immediate patch capacity may reduce exposure by enforcing network policies that restrict outbound browsing to known-safe origins and by gating Chrome updates through a controlled rollout policy until the fixed build is confirmed deployed.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available