How is CVE-2026-10909 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the victim must browse to an attacker-controlled URL. Authentication (not-required): No credentials or account are needed; the attack is launched from an unauthenticated remote position. Victim interaction (required): The victim must open a crafted HTML page, making social engineering or drive-by delivery a prerequisite for exploitation. Attack complexity (info): Exploitation is rated high complexity because it requires the attacker to have already compromised the renderer process before the use-after-free can be leveraged for a sandbox escape.

What is the impact of CVE-2026-10909?

Reads sensitive data from memory outside the browser sandbox, including credentials, session tokens, and other process memory. Writes arbitrary data to memory outside the sandbox, enabling code injection or persistent modification of browser state. Crashes or destabilizes the affected Chrome process, causing service disruption for the user. Achieves a full sandbox escape, allowing the attacker to execute code at the privilege level of the host Chrome process, bypassing Chrome's primary isolation boundary.

Back to search

HIGHCVE-2026-10909Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10909: Use after free in Dawn in Google Chrome prior to 149

Use after free in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in Dawn, the WebGPU implementation inside Google Chrome, affects all Chrome versions prior to 149.0.7827.53. The bug is reachable over the network, requires no authentication, but does require the attacker to have already compromised the renderer process and to lure a victim into visiting a crafted HTML page. Successful exploitation allows a full sandbox escape, giving the attacker high-impact read, write, and availability control beyond the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle a Chromium or Chrome binary. Any image whose Chrome version falls below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.3 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available through HarborGuard once the fix version is confirmed in the upstream advisory, which it already is. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the victim must browse to an attacker-controlled URL.
AuthenticationNot required
No credentials or account are needed; the attack is launched from an unauthenticated remote position.
Victim interactionRequired
The victim must open a crafted HTML page, making social engineering or drive-by delivery a prerequisite for exploitation.
Attack complexityDetail
Exploitation is rated high complexity because it requires the attacker to have already compromised the renderer process before the use-after-free can be leveraged for a sandbox escape.

Blast Radius

Reads sensitive data from memory outside the browser sandbox, including credentials, session tokens, and other process memory.
Writes arbitrary data to memory outside the sandbox, enabling code injection or persistent modification of browser state.
Crashes or destabilizes the affected Chrome process, causing service disruption for the user.
Achieves a full sandbox escape, allowing the attacker to execute code at the privilege level of the host Chrome process, bypassing Chrome's primary isolation boundary.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10909 is active and matches any image containing a Chrome binary older than 149.0.7827.53. Because this is a HIGH-severity CVE with a known fix version, a patched-image rebuild is available immediately. For customers who opt into auto-remediation, HarborGuard initiates a rebuild at 149.0.7827.53, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is queued with full CVSS context and routing metadata so the responsible team can act without delay. Given the sandbox-escape impact and the renderer-compromise prerequisite, teams that cannot patch immediately should consider restricting or disabling WebGPU feature flags in affected images as a compensating control.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available