CVE-2026-10910: Type Confusion in V8 in Google Chrome prior to 149
Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A type confusion vulnerability in V8, the JavaScript engine embedded in Google Chrome, allows a remote attacker to execute arbitrary code inside the browser sandbox by tricking a user into visiting a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, but does require the victim to open a malicious page. Successful exploitation grants the attacker code execution within the Chrome sandbox, which can be leveraged as a stepping stone toward full system compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle a Chrome or Chromium installation.
AvailableHarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy, routing findings to the appropriate team inbox inside the customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard once an affected image is detected. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to reach the attacker-controlled or compromised web page.
- AuthenticationNot required
No account or credential of any kind is required; any anonymous visitor to a malicious page is a valid target.
- Victim interactionRequired
The victim must open a crafted HTML page in the browser, making this a social-engineering vector that depends on the user navigating to or being redirected to the attacker's page.
- Attack complexityDetail
Exploit reliability is high: no race conditions, memory-layout assumptions, or special environmental factors are required once the victim loads the page.
Blast Radius
- The attacker gains arbitrary code execution within the Chrome renderer sandbox, enabling JavaScript engine-level control over the affected browser process.
- Confidential data processed by the browser, including session tokens, form data, and page contents, is exposed to the attacker.
- The attacker can modify in-browser state, redirect navigation, and inject content into pages the victim is viewing.
- A sandbox escape chained onto this vulnerability would extend attacker control to the underlying host operating system.
How HarborGuard Handles This
Available on HarborGuard: the CVE is matched against customer images within minutes of publication, covering any image that bundles Chrome or Chromium below version 149.0.7827.53. Where compliance policy permits, a rebuilt image at the patched version is made available automatically; for customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test pass, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually can retrieve the pinned rebuild from HarborGuard and promote it through their own pipeline on their own schedule.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H