HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10897Published Modified CNA Chrome

CVE-2026-10897: Inappropriate implementation in GPU in Google Chrome prior to 149

Inappropriate implementation in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An inappropriate GPU implementation flaw in Google Chrome prior to version 149.0.7827.53 allows a remote attacker to trigger a sandbox escape through a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though a victim must visit a malicious or attacker-controlled page. Successful exploitation breaks out of Chrome's sandbox, giving the attacker code execution capability beyond normal browser process boundaries. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10897 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle a Chromium or Chrome binary, not just images pulled from public registries.

Available
Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH (CVSS v3.1) and weighting it further against each customer environment's compliance policy to determine breach of policy thresholds. Triage findings can be routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected Chrome version. For customers who have opted into auto-remediation, HarborGuard is capable of running the rebuild alongside a regression test suite and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by luring a victim to a crafted HTML page, so the affected service must be reachable from an internet-facing or network-connected browser session.

  • AuthenticationNot required

    No credentials or account are needed; any unauthenticated user browsing to a malicious page is a viable target.

  • Victim interactionRequired

    The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

  • Attacker escapes the Chrome renderer sandbox and gains code execution in the context of the browser process on the victim host.
  • Confidential data accessible to the browser process, including stored credentials, session tokens, and local files within reach of that process, can be read.
  • The attacker can write or modify files and browser state accessible to the compromised process, enabling persistence or further lateral movement.
  • The affected browser process can be crashed or made unavailable, disrupting the user's session and any browser-based workflows.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome versions below 149.0.7827.53 are flagged automatically as CVE-2026-10897 is ingested from upstream feeds. Where compliance policy permits, a rebuilt image pinned to the fixed version 149.0.7827.53 is made available immediately; for customers who opt into auto-remediation, HarborGuard can run the rebuild, execute regression tests, and open a pull request against affected workloads, targeting a median time from CVE publication to merged patch PR of around 90 minutes for high-severity findings. Given that exploitation requires only network access and a single victim click, prioritizing rapid upgrade is strongly advised over waiting for a scheduled maintenance window. If immediate rebuild is not feasible, network-policy controls that restrict which internal services can be reached from browser-running workloads reduce the post-exploitation blast radius while a formal patch is prepared.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References