How is CVE-2026-10911 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target service or browser must be reachable from an external or remote origin. Authentication (not-required): No account or credential is needed to initiate the attack; the crafted page alone is sufficient once delivered. Victim interaction (required): The victim must open or navigate to the attacker-crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Attack complexity is high, meaning the attacker must first achieve renderer process compromise before this sandbox-escape primitive becomes usable, introducing a significant prerequisite condition.

What is the impact of CVE-2026-10911?

A successful sandbox escape lets the attacker execute arbitrary code in the context of the host OS process, bypassing Chrome's sandboxed renderer boundary. The attacker reads files, credentials, and session data accessible to the user running Chrome on the host. The attacker modifies files, configuration, or persisted data on the host system. The attacker can crash or destabilize host-level processes, disrupting service availability beyond the browser itself.

Back to search

HIGHCVE-2026-10911Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10911: Insufficient validation of untrusted input in Media in Google Chrome prior to 149

Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the Media component of Google Chrome versions prior to 149.0.7827.53. A remote attacker who has already compromised the Chrome renderer process can exploit this flaw by delivering a crafted HTML page, requiring the victim to interact with it. Successful exploitation enables a sandbox escape, giving the attacker code execution outside Chrome's sandboxed renderer and full access to the host system across confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10911 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed publication. This coverage extends to custom-built images that bundle or ship a Chrome or Chromium binary.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.3 HIGH using the CVSS v3.1 vector, weighted further by each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on those policy settings.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target service or browser must be reachable from an external or remote origin.
AuthenticationNot required
No account or credential is needed to initiate the attack; the crafted page alone is sufficient once delivered.
Victim interactionRequired
The victim must open or navigate to the attacker-crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Attack complexity is high, meaning the attacker must first achieve renderer process compromise before this sandbox-escape primitive becomes usable, introducing a significant prerequisite condition.

Blast Radius

A successful sandbox escape lets the attacker execute arbitrary code in the context of the host OS process, bypassing Chrome's sandboxed renderer boundary.
The attacker reads files, credentials, and session data accessible to the user running Chrome on the host.
The attacker modifies files, configuration, or persisted data on the host system.
The attacker can crash or destabilize host-level processes, disrupting service availability beyond the browser itself.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10911 activates as soon as the advisory is ingested, matching any image that bundles a Chrome or Chromium binary below 149.0.7827.53. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at the patched version, run regression tests, and open a pull request against impacted workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a full diff are staged and waiting for reviewer sign-off. Given the sandbox-escape impact and the prerequisite of renderer compromise, teams that cannot immediately update should consider network-policy controls that restrict which origins Chrome-based workloads can load content from, reducing the surface available for the delivery step.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available