CVE-2026-10917: Insufficient validation of untrusted input in Media in Google Chrome prior to 149
Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.3
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an insufficient input validation vulnerability in the Media component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require the attacker to have already compromised the Chrome renderer process and to trick a victim into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker access beyond the browser's isolation boundary with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-10917 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images containing Chrome. Any image whose Chrome version falls below 149.0.7827.53 is flagged automatically at scan time in both registry and CI/CD pipeline contexts.
AvailableHarborGuard scores this CVE at 8.3 (HIGH) using the CVSS v3.1 vector and weights that score against each customer environment's compliance policy to prioritize routing. Findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target service or user must be reachable from the attacker's position on the internet.
- AuthenticationNot required
No account or credential is needed to initiate the attack; the attacker only needs to lure a victim to a malicious page.
- Victim interactionRequired
The victim must visit a crafted HTML page, meaning the attacker depends on a social-engineering step to get the user to navigate to or load the malicious content.
- Attack complexityDetail
Attack complexity is HIGH because the attacker must first have compromised the Chrome renderer process before the sandbox escape becomes reachable, introducing a significant precondition beyond the attacker's direct control.
Blast Radius
- A successful sandbox escape breaks out of Chrome's process isolation, exposing the underlying host OS to attacker-controlled code execution.
- The attacker gains read access to files, credentials, and data outside the browser sandbox on the compromised host.
- The attacker can write or modify files and system state on the host, enabling persistence or lateral movement.
- The attacker can crash or destabilize host-level processes, disrupting availability of the system beyond just the browser tab.
How HarborGuard Handles This
Available on HarborGuard: images containing a Chrome version below 149.0.7827.53 are automatically flagged when the CVE is matched during any scan cycle, including scans triggered at image push, on a schedule, or inline in a CI/CD pipeline. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at Chrome 149.0.7827.53, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and a prefilled pull request are staged and held for reviewer sign-off. Because the exploit requires a pre-compromised renderer process as a precondition, customers who cannot immediately deploy the patch should consider network-policy controls that restrict outbound connections from browser-hosting containers, reducing the attacker's ability to exfiltrate data or reach internal services if a renderer compromise does occur.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H