How is CVE-2026-10890 exploited?

Network reachability (info): The attacker must be on the same local network segment, LAN, or VPN as the target; remote internet-based exploitation is not possible without that adjacency. Authentication (not-required): No credentials or account are needed; the attacker sends malicious traffic anonymously over the adjacent network. Victim interaction (not-required): No user action such as clicking a link or opening a file is required for exploitation to succeed. Attack complexity (info): The exploit is reliable and requires no special pre-conditions, race conditions, or environmental factors beyond network adjacency.

What is the impact of CVE-2026-10890?

A successful attacker reads browser memory contents, including session tokens, saved credentials, and any in-memory page data from the compromised Chrome process. The attacker can write to or corrupt heap memory within the Chrome process, modifying in-flight data or persisted browser state such as cookies and local storage. The exploit crashes or destabilizes the Chrome process, causing a denial of service for the affected user session. Heap corruption of this class frequently serves as a stepping stone to arbitrary code execution within the Chrome sandbox, enabling further exploitation of sandbox escapes.

Back to search

HIGHCVE-2026-10890Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10890: Use after free in Cast in Google Chrome prior to 149

Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Critical)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Cast component of Google Chrome prior to version 149.0.7827.53 allows an attacker on the same local network segment to exploit heap corruption without any authentication or user interaction. The flaw is reachable by sending malicious network traffic to an affected Chrome instance, and successful exploitation grants full confidentiality, integrity, and availability impact over the browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-10890 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images containing Google Chrome. Any image shipping a Chrome binary older than 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 HIGH and weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard once upstream fix metadata is confirmed. For customers who opt into auto-remediation, the pipeline rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same local network segment, LAN, or VPN as the target; remote internet-based exploitation is not possible without that adjacency.
AuthenticationNot required
No credentials or account are needed; the attacker sends malicious traffic anonymously over the adjacent network.
Victim interactionNot required
No user action such as clicking a link or opening a file is required for exploitation to succeed.
Attack complexityDetail
The exploit is reliable and requires no special pre-conditions, race conditions, or environmental factors beyond network adjacency.

Blast Radius

A successful attacker reads browser memory contents, including session tokens, saved credentials, and any in-memory page data from the compromised Chrome process.
The attacker can write to or corrupt heap memory within the Chrome process, modifying in-flight data or persisted browser state such as cookies and local storage.
The exploit crashes or destabilizes the Chrome process, causing a denial of service for the affected user session.
Heap corruption of this class frequently serves as a stepping stone to arbitrary code execution within the Chrome sandbox, enabling further exploitation of sandbox escapes.

How HarborGuard Handles This

Available on HarborGuard: detection of this use-after-free in Chrome Cast is active for all images scanned through HarborGuard pipelines, flagging any image that packages Chrome below version 149.0.7827.53. Given the HIGH severity and CVSS 8.8 score, this CVE is prioritized accordingly in per-environment compliance policy weighting. For customers who opt into auto-remediation, HarborGuard will rebuild the affected image at Chrome 149.0.7827.53, execute the configured regression suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers not using auto-remediation will see the finding surfaced in their HarborGuard dashboard with fix-version guidance and can trigger the rebuild manually.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available