HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10884Published Modified CNA Chrome

CVE-2026-10884: Use after free in Chromecast in Google Chrome prior to 149

Use after free in Chromecast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Chromecast component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The attack is reachable over the network but requires the victim to visit or interact with a malicious page, and it carries high impact across confidentiality, integrity, and availability due to the scope change enabled by the sandbox escape. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-10884 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the Chrome CNA advisory. This capability covers both pulled public images and custom-built images that bundle a Chrome or Chromium binary.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 HIGH and weighting it further against each environment's compliance policy, which may escalate effective severity for internet-facing workloads where Chrome is embedded. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against the affected workload automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network, delivering a crafted HTML page that the victim's browser loads.

  • AuthenticationNot required

    No credentials or account are needed; the attack is launched from an unauthenticated web page.

  • Victim interactionRequired

    The victim must visit or otherwise interact with the attacker-controlled HTML page, making this a social-engineering-dependent attack.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker must have already compromised the renderer process before the use-after-free can be used for a sandbox escape, introducing a significant prerequisite step.

Blast Radius

  • A successful sandbox escape gives the attacker code execution outside the Chrome renderer sandbox, at a privilege level beyond the browser process itself.
  • With high confidentiality impact, the attacker can read data accessible to the browser process, including stored credentials, cookies, and session tokens.
  • With high integrity impact, the attacker can write or modify files and data reachable by the escaped process, including user profile data and locally cached content.
  • With high availability impact, the attacker can crash or hang the affected service or host process, disrupting the user session and any dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: any image in a customer registry or CI pipeline that bundles Google Chrome below 149.0.7827.53 is flagged at CVSS 8.3 HIGH as soon as the CVE enters the ingestion pipeline. Where compliance policy permits auto-remediation, HarborGuard triggers a rebuild of the affected image at Chrome 149.0.7827.53, runs a regression test suite against the rebuilt image, and opens a pull request against the affected workload; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with fix-version context so that engineering teams can prioritize the manual upgrade. Given that exploitation requires a pre-compromised renderer process plus victim interaction, teams unable to patch immediately should consider network-policy controls that restrict egress from Chrome-embedding containers and content-security-policy headers on any internally hosted pages that load Chrome-rendered content.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References