CVE-2026-10908: Use after free in FullScreen in Google Chrome on Windows prior to 149
Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.3
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the FullScreen component of Google Chrome on Windows allows a remote attacker who has already compromised the renderer process to escape the Chrome sandbox via a crafted HTML page. The attacker must lure a victim into visiting a malicious page, but no authentication is required; successful exploitation gives the attacker code execution outside the Chrome sandbox, with high impact across confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard scores this CVE at 8.3 HIGH using the published CVSS v3.1 vector, and per-environment compliance policy weighting is applied to route the finding to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected Chrome version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on a remote server.
- AuthenticationNot required
No account or credential is needed; the attacker interacts with the target purely through a web page.
- Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, requiring a social-engineering or watering-hole step.
- Attack complexityDetail
Exploitation is rated high complexity because it requires the attacker to have already compromised the Chrome renderer process before triggering the sandbox escape.
Blast Radius
- Attacker escapes the Chrome sandbox and gains code execution in the context of the browser process on the Windows host.
- Reads files and secrets accessible to the browser process, including stored credentials, cookies, and session tokens.
- Modifies or deletes files and data reachable by the browser process user account.
- Crashes or destabilizes the Chrome process and any dependent services, causing loss of availability.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image containing a Chrome binary older than 149.0.7827.53, covering both upstream base images and internally built images. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a pre-filled pull request are staged and waiting for reviewer sign-off. Customers who cannot immediately redeploy should consider network-policy controls that restrict which hosts can serve content to Chrome-based workloads, reducing the surface available for renderer-compromise attempts.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H