HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10899Published Modified CNA Chrome

CVE-2026-10899: Use after free in Ozone in Google Chrome on Linux prior to 149

Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability affects the Ozone graphics platform layer in Google Chrome on Linux, in versions prior to 149.0.7827.53. The flaw is reachable over the network but requires a victim to perform specific UI gestures on a crafted HTML page, and no authentication is needed from the attacker. Successful exploitation corrupts heap memory, giving an attacker the ability to read sensitive data, tamper with browser memory, or execute arbitrary code in the renderer process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome on Linux.

HarborGuard Coverage

Detection

Detection of CVE-2026-10899 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Chrome on Linux base layers. Any image carrying a Chrome version below 149.0.7827.53 on a Linux platform is flagged automatically during registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and surfaces it accordingly in each customer environment, with per-organization compliance policy weighting applied to prioritize it relative to other open findings. Triage routing is available to direct the alert to the team or inbox configured for browser-runtime or desktop-platform workloads within each customer org.

Available
Patch

A patched-image rebuild based on Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable or the victim must browse to an attacker-controlled URL.

  • AuthenticationNot required

    No account or credential is needed; the attacker only needs to get the victim to visit a page.

  • Victim interactionRequired

    Exploitation requires the victim to perform specific UI gestures on the crafted page, meaning the attacker must socially engineer that interaction.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the exploit depends on environmental or timing factors such as heap layout conditions that the attacker cannot fully control.

Blast Radius

  • A successful exploit reads high-confidentiality browser memory, exposing stored session tokens, credentials, or page content from the current browser context.
  • The attacker can modify in-process memory, altering rendered page state or injecting behavior into the running Chrome process.
  • Heap corruption at this severity can crash the affected Chrome process, disrupting any active browsing session or web-based workflow running under it.
  • Depending on sandbox posture of the container image, arbitrary code execution inside the renderer may be achievable, extending attacker control beyond the browser tab.

How HarborGuard Handles This

Available on HarborGuard: detection of this use-after-free in Chrome on Linux images is active across all connected registries and CI pipelines, with findings surfaced within minutes of advisory ingestion. For environments where an image bundles Chrome below 149.0.7827.53, a rebuilt image at the fixed version is available. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the configured team inbox with full CVSS context and remediation guidance attached. Customers who cannot immediately update are encouraged to apply network policy controls that limit which container workloads can initiate outbound browsing sessions, reducing the surface available for delivering the crafted HTML payload.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References