How is CVE-2026-10902 exploited?

Network reachability (required): The attacker delivers the exploit over the network by luring the target to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No account credentials or prior authentication to any service are needed to deliver the malicious page. Victim interaction (required): The targeted user must open or be redirected to the attacker's crafted HTML page in the affected Chrome browser. Attack complexity (info): Exploit conditions are reliable and free of race conditions or special environmental dependencies, making the attack straightforward to carry out once the victim visits the page.

What is the impact of CVE-2026-10902?

Attacker achieves arbitrary code execution inside the Chrome renderer process, enabling full control over the browser's content sandbox. All data loaded in the active browser session, including stored credentials, session tokens, and page content, is readable by the attacker. The attacker can write or modify data accessible to the renderer, including form submissions, local storage, and in-page state. The affected Chrome process can be crashed or made unresponsive, disrupting the user's browser session.

Back to search

HIGHCVE-2026-10902Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10902: Use after free in Ozone in Google Chrome prior to 149

Use after free in Ozone in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Ozone display platform layer of Google Chrome (versions before 149.0.7827.53) allows a remote attacker to execute arbitrary code. The vulnerability is reachable over the network and requires no authentication, but the targeted user must visit a crafted HTML page. Successful exploitation gives the attacker full code execution inside the Chrome renderer process, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium binary. Images carrying any Chrome version below 149.0.7827.53 are flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard triggers an automated rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by luring the target to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No account credentials or prior authentication to any service are needed to deliver the malicious page.
Victim interactionRequired
The targeted user must open or be redirected to the attacker's crafted HTML page in the affected Chrome browser.
Attack complexityDetail
Exploit conditions are reliable and free of race conditions or special environmental dependencies, making the attack straightforward to carry out once the victim visits the page.

Blast Radius

Attacker achieves arbitrary code execution inside the Chrome renderer process, enabling full control over the browser's content sandbox.
All data loaded in the active browser session, including stored credentials, session tokens, and page content, is readable by the attacker.
The attacker can write or modify data accessible to the renderer, including form submissions, local storage, and in-page state.
The affected Chrome process can be crashed or made unresponsive, disrupting the user's browser session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10902 is active across all connected registries and CI pipelines, flagging any image that ships Chrome below 149.0.7827.53. For customers with auto-remediation enabled, HarborGuard initiates a rebuild at the fixed version, runs regression tests against the new image, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and a prioritized finding are queued for reviewer action. Customers who cannot immediately rebuild are advised to apply network-policy controls that restrict Chrome-based workloads from loading arbitrary external origins, reducing exposure while a rebuild is prepared.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available