How is CVE-2026-10905 exploited?

Network reachability (required): The attacker must be able to reach the victim's browser over the network by serving a crafted HTML page from a remote host. Authentication (not-required): No credentials or account access are needed; the attacker only needs to deliver the malicious page to the victim. Victim interaction (required): The victim must visit or be redirected to the attacker-controlled HTML page, making social engineering or phishing a necessary step. Attack complexity (info): Exploitation is rated high complexity because the attacker must first have compromised the renderer process before the use-after-free can be leveraged for a sandbox escape.

What is the impact of CVE-2026-10905?

A successful sandbox escape lets the attacker execute arbitrary code outside Chrome's renderer sandbox, at the privilege level of the browser process. Confidentiality impact is high: the attacker reads memory, stored credentials, session tokens, and browsing data accessible to the browser process. Integrity impact is high: the attacker writes to files and system state accessible outside the sandbox, potentially planting malicious artifacts. Availability impact is high: the attacker crashes or forcibly terminates browser processes or dependent services on the host.

Back to search

HIGHCVE-2026-10905Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10905: Use after free in Network in Google Chrome prior to 149

Use after free in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Network component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but the attacker must first compromise the renderer process and persuade a victim to visit a crafted HTML page. Successful exploitation enables a sandbox escape, giving an attacker code execution outside Chrome's sandboxed renderer with the full impact of high confidentiality, integrity, and availability compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome or Chromium. Any image containing a Chrome version below 149.0.7827.53 is flagged in the relevant registry and CI pipeline scan.

Available

Triage

HarborGuard scores this finding at CVSS 8.3 HIGH and weights it against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within the customer org based on configured ownership and policy rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard once the upstream fix is confirmed, which has already occurred for this CVE. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the victim's browser over the network by serving a crafted HTML page from a remote host.
AuthenticationNot required
No credentials or account access are needed; the attacker only needs to deliver the malicious page to the victim.
Victim interactionRequired
The victim must visit or be redirected to the attacker-controlled HTML page, making social engineering or phishing a necessary step.
Attack complexityDetail
Exploitation is rated high complexity because the attacker must first have compromised the renderer process before the use-after-free can be leveraged for a sandbox escape.

Blast Radius

A successful sandbox escape lets the attacker execute arbitrary code outside Chrome's renderer sandbox, at the privilege level of the browser process.
Confidentiality impact is high: the attacker reads memory, stored credentials, session tokens, and browsing data accessible to the browser process.
Integrity impact is high: the attacker writes to files and system state accessible outside the sandbox, potentially planting malicious artifacts.
Availability impact is high: the attacker crashes or forcibly terminates browser processes or dependent services on the host.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome below version 149.0.7827.53 are flagged automatically within minutes of CVE ingestion. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, runs regression tests, and opens a PR against affected workloads; for HIGH-severity issues the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS context and fix-version detail so engineering teams can act manually. Because exploitation requires a prior renderer compromise in addition to victim interaction, teams may also consider enforcing strict Content Security Policy headers and disabling unnecessary network-facing Chrome features as compensating controls while rollout proceeds.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available