How is CVE-2026-10913 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable to normal web traffic. Authentication (not-required): No account, credential, or session token of any kind is needed to trigger the vulnerability. Victim interaction (required): The target user must visit a crafted HTML page, making this a social-engineering-dependent attack that requires the victim to click a link or be redirected. Attack complexity (info): The exploit is reliable and condition-free; no race condition, specific memory layout, or environmental configuration is required to trigger the use-after-free.

What is the impact of CVE-2026-10913?

The attacker executes arbitrary code inside Chrome's renderer sandbox on the victim's Windows machine. Confidential data accessible to the renderer process, including page content, stored credentials surfaced by autofill, and session tokens, can be read. The attacker can modify page content and intercept or tamper with data the user submits through the browser. Renderer process stability is fully compromised, and the foothold can be used as a launch point for a sandbox-escape chain targeting the underlying OS.

Back to search

HIGHCVE-2026-10913Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10913: Use after free in ANGLE in Google Chrome on Windows prior to 149

Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in ANGLE, the graphics translation layer used by Google Chrome on Windows, allows a remote attacker to execute arbitrary code inside Chrome's sandbox by luring a user to a crafted HTML page. The flaw is reachable over the network and requires no authentication, only that the target visits a malicious page. Successful exploitation gives the attacker code execution within the renderer sandbox, which can serve as a stepping stone toward a full browser or system compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection for CVE-2026-10913 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. This coverage extends to custom-built images that bundle a Chrome or Chromium binary, not just official base images.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and ownership routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured triage rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard as soon as the fix version is confirmed in the upstream advisory. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable to normal web traffic.
AuthenticationNot required
No account, credential, or session token of any kind is needed to trigger the vulnerability.
Victim interactionRequired
The target user must visit a crafted HTML page, making this a social-engineering-dependent attack that requires the victim to click a link or be redirected.
Attack complexityDetail
The exploit is reliable and condition-free; no race condition, specific memory layout, or environmental configuration is required to trigger the use-after-free.

Blast Radius

The attacker executes arbitrary code inside Chrome's renderer sandbox on the victim's Windows machine.
Confidential data accessible to the renderer process, including page content, stored credentials surfaced by autofill, and session tokens, can be read.
The attacker can modify page content and intercept or tamper with data the user submits through the browser.
Renderer process stability is fully compromised, and the foothold can be used as a launch point for a sandbox-escape chain targeting the underlying OS.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE fires against any customer image that bundles an affected Chrome binary on Windows, including internally built images, within minutes of ingest. For environments where the image is pinned to a Chrome version below 149.0.7827.53, a rebuilt image at the patched version is available. Customers with auto-remediation enabled receive a full rebuild, a regression-test run, and a PR opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in those environments. Where compliance policy requires manual approval before remediation, HarborGuard surfaces the finding with full CVSS context and routes it to the configured owner so review can begin immediately.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available