How is CVE-2026-10901 exploited?

Network reachability (required): The attacker delivers the exploit over the network via a crafted HTML page, so the target host must be able to reach and render attacker-controlled web content. Authentication (not-required): No account or credential is needed; the attacker operates as an unauthenticated remote party. Victim interaction (required): The attacker must socially engineer the target user into performing specific UI gestures inside Chrome before the vulnerable code path is triggered. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must account for timing, memory layout, or other environmental conditions that cannot be reliably controlled, making reliable exploitation harder to achieve.

What is the impact of CVE-2026-10901?

A successful attacker executes arbitrary code within the Chrome process on the target macOS host. Code execution at Chrome's privilege level exposes all data the browser can access, including stored passwords, session cookies, and browsing history. The attacker can read, modify, or exfiltrate any file or credential that Chrome has permission to reach on the local filesystem. The running Chrome process can be crashed or hijacked, disrupting browser availability for the affected user.

Back to search

HIGHCVE-2026-10901Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10901: Use after free in Passwords in Google Chrome on Mac prior to 149

Use after free in Passwords in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Passwords component of Google Chrome on macOS in versions prior to 149.0.7827.53. The flaw is reachable over the network but requires the attacker to convince a target user to perform specific UI gestures, and no prior authentication is needed. Successful exploitation gives the attacker arbitrary code execution inside the Chrome process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10901 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to determine breach thresholds; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any scanned image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite, and open a pull request against the affected workload automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network via a crafted HTML page, so the target host must be able to reach and render attacker-controlled web content.
AuthenticationNot required
No account or credential is needed; the attacker operates as an unauthenticated remote party.
Victim interactionRequired
The attacker must socially engineer the target user into performing specific UI gestures inside Chrome before the vulnerable code path is triggered.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account for timing, memory layout, or other environmental conditions that cannot be reliably controlled, making reliable exploitation harder to achieve.

Blast Radius

A successful attacker executes arbitrary code within the Chrome process on the target macOS host.
Code execution at Chrome's privilege level exposes all data the browser can access, including stored passwords, session cookies, and browsing history.
The attacker can read, modify, or exfiltrate any file or credential that Chrome has permission to reach on the local filesystem.
The running Chrome process can be crashed or hijacked, disrupting browser availability for the affected user.

How HarborGuard Handles This

Available on HarborGuard: any image that bundles a Chrome or Chromium binary below version 149.0.7827.53 is flagged at ingest and surfaced as a HIGH finding. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the patched version, run a regression test run against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is held in the team inbox with full CVSS detail and remediation guidance until a reviewer acts. Because a fix is already available upstream, no compensating-control workaround period is expected, but environments that cannot upgrade immediately should consider restricting which container workloads are permitted to run a browser binary using network-policy controls.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available