How is CVE-2026-10893 exploited?

Network reachability (required): The attacker must reach the victim's browser over the network, making any internet-exposed or network-reachable Chrome instance a valid target. Authentication (not-required): No account or credential is needed; the attacker sends malicious network traffic without authenticating to any service. Victim interaction (required): The victim must take an action such as visiting a malicious page or opening a crafted link, introducing a social-engineering step the attacker must clear. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout prerequisites.

What is the impact of CVE-2026-10893?

A successful attacker executes arbitrary code inside the Chrome renderer or browser process on the victim's machine. The attacker reads data accessible to the Chrome process, including stored session tokens, saved passwords, and browsing history. The attacker modifies files and browser-stored data writable by the Chrome process, including cookies, local storage, and downloaded files. The attacker can crash or hang the Chrome process, denying the victim access to browser-dependent workflows.

Back to search

HIGHCVE-2026-10893Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10893: Use after free in Chromoting in Google Chrome prior to 149

Use after free in Chromoting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in the Chromoting component of Google Chrome allows a remote attacker to execute arbitrary code by sending malicious network traffic to a vulnerable browser. The attacker needs no authentication but does require the victim to interact with a malicious resource, as reflected in the CVSS vector (AV:N, PR:N, UI:R). Successful exploitation gives the attacker full control over the browser process, enabling data theft, file tampering, and service disruption. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-10893 is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to determine urgency; per-org routing rules direct the finding to the appropriate team inbox automatically.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard runs the rebuild and a regression test suite, then opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim's browser over the network, making any internet-exposed or network-reachable Chrome instance a valid target.
AuthenticationNot required
No account or credential is needed; the attacker sends malicious network traffic without authenticating to any service.
Victim interactionRequired
The victim must take an action such as visiting a malicious page or opening a crafted link, introducing a social-engineering step the attacker must clear.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout prerequisites.

Blast Radius

A successful attacker executes arbitrary code inside the Chrome renderer or browser process on the victim's machine.
The attacker reads data accessible to the Chrome process, including stored session tokens, saved passwords, and browsing history.
The attacker modifies files and browser-stored data writable by the Chrome process, including cookies, local storage, and downloaded files.
The attacker can crash or hang the Chrome process, denying the victim access to browser-dependent workflows.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10893 is active across all connected registries and pipelines the moment the advisory is ingested, covering any image that packages a Chrome or Chromium binary below 149.0.7827.53. Where a compliance policy permits auto-remediation, HarborGuard rebuilds the affected image at the patched version, runs a regression test suite against the new image, and opens a pull request targeting the affected workload; for high-severity issues, median time from publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with full CVSS detail and fix-version guidance so engineering teams can act immediately.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available