How is CVE-2026-10887 exploited?

Network reachability (required): The attacker must reach the target over the network by sending crafted traffic to the Chromoting service; no local or physical access is needed. Authentication (not-required): No account credentials or session token are needed; the exploit path is fully unauthenticated. Victim interaction (not-required): The vulnerability is triggered purely through inbound network traffic; the user on the target machine does not need to click, open, or approve anything. Attack complexity (info): Attack complexity is rated High, meaning the attacker must satisfy specific race-condition timing or memory-layout prerequisites rather than firing a simple, unconditional payload.

What is the impact of CVE-2026-10887?

A successful attacker achieves arbitrary code execution inside the Chrome process on the target Mac, giving full control over what that process can read and write. Confidential data accessible to Chrome, including stored credentials, session cookies, and browsing history, is exposed to the attacker. The attacker can modify in-memory state and on-disk data that Chrome has write access to, including profile data and downloaded files. The Chrome process can be crashed or kept running under attacker control, either disrupting the remote-desktop session or silently maintaining persistence.

Back to search

HIGHCVE-2026-10887Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10887: Use after free in Chromoting in Google Chrome on Mac prior to 149

Use after free in Chromoting in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Chromoting (Chrome Remote Desktop) component of Google Chrome on macOS allows a remote attacker to execute arbitrary code by sending malicious network traffic. No authentication or victim interaction is required, though the attacker must win a race condition or meet specific environmental prerequisites to reliably trigger the memory corruption. Successful exploitation gives the attacker full code execution within the Chrome process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10887 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Google Chrome on macOS base layers.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH (CVSS v3.1) and applies each customer organization's compliance policy weighting before routing the finding to the appropriate team inbox.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available in HarborGuard as soon as the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs the regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target over the network by sending crafted traffic to the Chromoting service; no local or physical access is needed.
AuthenticationNot required
No account credentials or session token are needed; the exploit path is fully unauthenticated.
Victim interactionNot required
The vulnerability is triggered purely through inbound network traffic; the user on the target machine does not need to click, open, or approve anything.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must satisfy specific race-condition timing or memory-layout prerequisites rather than firing a simple, unconditional payload.

Blast Radius

A successful attacker achieves arbitrary code execution inside the Chrome process on the target Mac, giving full control over what that process can read and write.
Confidential data accessible to Chrome, including stored credentials, session cookies, and browsing history, is exposed to the attacker.
The attacker can modify in-memory state and on-disk data that Chrome has write access to, including profile data and downloaded files.
The Chrome process can be crashed or kept running under attacker control, either disrupting the remote-desktop session or silently maintaining persistence.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10887 activates the moment the advisory is ingested, flagging any image that bundles a vulnerable Chrome build (versions prior to 149.0.7827.53) on a macOS layer. A rebuild at the fixed version is available for affected images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes the configured regression tests, and opens a pull request against affected workloads; for High-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who manage remediation manually, HarborGuard surfaces the pinned fix version and affected image list directly in the finding detail. Where compliance policy requires additional review before patching, compensating controls such as network-policy rules that restrict inbound Chromoting traffic can reduce exposure until the patched image is promoted.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available