How is CVE-2026-10907 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on a remote server. Authentication (not-required): No account or credential of any kind is needed on the targeted system; the attack works against any unauthenticated browser session. Victim interaction (required): The victim must open a specially crafted HTML page, meaning the attacker must rely on phishing, malvertising, or a similar social-engineering vector to achieve code execution. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-10907?

A successful attacker achieves arbitrary read access inside the Chrome browser process, exposing stored session tokens, saved credentials, and in-memory page content. The out-of-bounds write primitive allows the attacker to overwrite heap memory, enabling arbitrary code execution within the Chrome sandbox at the privilege level of the renderer process. An attacker can crash the browser process entirely, causing immediate denial of service for the affected user session. If paired with a sandbox escape, the foothold in the renderer can be used as a stepping stone to write files or execute code at the operating-system level.

Back to search

HIGHCVE-2026-10907Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10907: Out of bounds write in ANGLE in Google Chrome prior to 149

Out of bounds write in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability in ANGLE, the graphics translation layer embedded in Google Chrome, affects all Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but a victim must visit a crafted HTML page that triggers the heap corruption. Successful exploitation gives an attacker full read, write, and crash capability over the browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-10907 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and can weight that score against each environment's compliance policy to route the finding to the appropriate team inbox within the customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against the affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on a remote server.
AuthenticationNot required
No account or credential of any kind is needed on the targeted system; the attack works against any unauthenticated browser session.
Victim interactionRequired
The victim must open a specially crafted HTML page, meaning the attacker must rely on phishing, malvertising, or a similar social-engineering vector to achieve code execution.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

A successful attacker achieves arbitrary read access inside the Chrome browser process, exposing stored session tokens, saved credentials, and in-memory page content.
The out-of-bounds write primitive allows the attacker to overwrite heap memory, enabling arbitrary code execution within the Chrome sandbox at the privilege level of the renderer process.
An attacker can crash the browser process entirely, causing immediate denial of service for the affected user session.
If paired with a sandbox escape, the foothold in the renderer can be used as a stepping stone to write files or execute code at the operating-system level.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image in a customer registry or pipeline that bundles a Chrome or Chromium binary older than 149.0.7827.53. Because this is rated HIGH with a CVSS score of 8.8 and a fix is available, the rebuild-and-PR flow is prioritized accordingly. For customers with auto-remediation enabled, HarborGuard rebuilds the image at 149.0.7827.53, runs a regression test run, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in those environments. Where compliance policy does not permit auto-remediation, the finding is surfaced as a high-priority alert with the pinned fix version and CVSS detail so the owning team can act manually. Customers who cannot immediately deploy the patched image should consider network-policy controls that restrict which hosts can serve content to Chrome-based workloads, reducing the social-engineering surface while the rebuild is reviewed and approved.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available