How is CVE-2026-10892 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the target to a crafted HTML page, so the Chrome instance must be reachable or the user must browse to an attacker-controlled URL. Authentication (not-required): No account, credential, or session token is needed; any anonymous visitor to the malicious page is a valid target. Victim interaction (required): The attack requires the user to open or be redirected to a crafted HTML page, making a basic social-engineering or malicious-ad delivery step necessary. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-10892?

Attacker escapes the Chrome renderer sandbox and gains code execution in a higher-privilege process on the Android device. Confidential data accessible to the Chrome process (stored credentials, session cookies, browsing history) is exposed to the attacker. The attacker can write arbitrary data to memory regions outside the intended buffer, enabling modification of application state or persistent storage. The affected Chrome process can be crashed or rendered unresponsive, disrupting the user's browsing session.

Back to search

CRITICALCVE-2026-10892Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10892: Out of bounds write in GPU in Google Chrome on Android prior to 149

Out of bounds write in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds write in the GPU component of Google Chrome on Android (versions before 149.0.7827.53) allows a remote attacker to exploit the browser by serving a crafted HTML page. No authentication is required and the only prerequisite is that a user visits the malicious page, making this a network-reachable, low-friction attack. Successful exploitation enables a full sandbox escape, giving the attacker read, write, and denial-of-service capability beyond the browser sandbox. A patched-image rebuild at 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10892 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android application images that bundle or ship Chrome. No manual configuration is required for the match to occur.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 9.6 (Critical) and weights it against each environment's compliance policy to determine priority and routing. Triage tickets are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the target to a crafted HTML page, so the Chrome instance must be reachable or the user must browse to an attacker-controlled URL.
AuthenticationNot required
No account, credential, or session token is needed; any anonymous visitor to the malicious page is a valid target.
Victim interactionRequired
The attack requires the user to open or be redirected to a crafted HTML page, making a basic social-engineering or malicious-ad delivery step necessary.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Attacker escapes the Chrome renderer sandbox and gains code execution in a higher-privilege process on the Android device.
Confidential data accessible to the Chrome process (stored credentials, session cookies, browsing history) is exposed to the attacker.
The attacker can write arbitrary data to memory regions outside the intended buffer, enabling modification of application state or persistent storage.
The affected Chrome process can be crashed or rendered unresponsive, disrupting the user's browsing session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10892 is active across all connected registries and CI pipelines the moment the CVE enters upstream advisory feeds. Given the Critical severity (CVSS 9.6) and the sandbox-escape impact, this CVE is prioritized at the highest triage tier. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at the patched version (149.0.7827.53), run a regression test suite against the new image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual sign-off, the triage ticket and rebuild artifact are staged and waiting for reviewer approval. Teams without auto-remediation should treat this as an immediate manual upgrade given the zero-authentication, network-reachable exploitation path.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available