How is CVE-2026-10889 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin. Authentication (not-required): No credentials or account are needed; the attack is launched against an unauthenticated browsing session. Victim interaction (required): The victim must visit or be redirected to the attacker-controlled HTML page, requiring a social-engineering step. Attack complexity (info): Exploitation is high-complexity because it assumes the attacker has already achieved renderer-process compromise as a prerequisite before attempting the sandbox escape.

What is the impact of CVE-2026-10889?

A successful attacker escapes the Chrome sandbox and gains code execution in the context of the host process, reading files and credentials accessible to the browser process. The attacker can modify data on the host, including writing files or tampering with user-accessible storage outside the sandbox. The attacker can crash or destabilize host-level processes, disrupting services running under the same user account. Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser itself to the underlying host environment.

Back to search

HIGHCVE-2026-10889Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10889: Out of bounds read in ANGLE in Google Chrome prior to 149

Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in ANGLE, the graphics abstraction layer inside Google Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require the attacker to have already compromised the Chrome renderer process and to trick a user into visiting a crafted HTML page. Successful exploitation allows a full sandbox escape, giving the attacker code execution outside the browser's sandboxed process with high confidentiality, integrity, and availability impact. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-10889 is available across every HarborGuard environment, with the CVE ingested from upstream feeds and matched against customer images, including custom-built images, within minutes of publication. Any image in a customer registry or CI/CD pipeline that bundles a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.3 HIGH (CVSS v3.1) and weighting that score against each environment's compliance policy to prioritize it appropriately. Triage findings are routable to the correct team inbox within each customer organization based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin.
AuthenticationNot required
No credentials or account are needed; the attack is launched against an unauthenticated browsing session.
Victim interactionRequired
The victim must visit or be redirected to the attacker-controlled HTML page, requiring a social-engineering step.
Attack complexityDetail
Exploitation is high-complexity because it assumes the attacker has already achieved renderer-process compromise as a prerequisite before attempting the sandbox escape.

Blast Radius

A successful attacker escapes the Chrome sandbox and gains code execution in the context of the host process, reading files and credentials accessible to the browser process.
The attacker can modify data on the host, including writing files or tampering with user-accessible storage outside the sandbox.
The attacker can crash or destabilize host-level processes, disrupting services running under the same user account.
Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser itself to the underlying host environment.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below 149.0.7827.53 are detectable the moment the CVE enters upstream advisory feeds, with matching running continuously against registered customer images and pipeline builds. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at Chrome 149.0.7827.53, execute a regression test suite against the rebuilt image, and open a pull request targeting affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Where compliance policy requires manual approval before patching, HarborGuard surfaces the finding with full CVSS context and routes it to the configured team inbox for review. Given the sandbox-escape impact and the renderer-compromise prerequisite, teams that cannot patch immediately should consider restricting the affected Chrome version from production container images via admission controls and enforcing network-egress filtering to limit attacker-controlled page delivery.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available