How is CVE-2026-10918 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target service or user must be reachable from an external or network-adjacent origin. Authentication (not-required): No credentials or account are needed; the attack is initiated by luring a user to a page the attacker controls. Victim interaction (required): The user must visit a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious redirect. Attack complexity (info): Exploitation is rated High complexity because the attacker must first have compromised the renderer process before the use-after-free can be leveraged for a sandbox escape.

What is the impact of CVE-2026-10918?

A successful attacker escapes the Chrome renderer sandbox and gains code execution in the context of the browser process or the host user account. With sandbox escape achieved, the attacker reads files, credentials, and session data accessible to the browser process on the host. The attacker can write to or modify files and browser-managed data stores on the host system. The attacker can crash or destabilize the browser process and potentially disrupt other processes running under the same user account.

Back to search

HIGHCVE-2026-10918Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10918: Use after free in Viz in Google Chrome prior to 149

Use after free in Viz in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Viz component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but the attacker must have already compromised the renderer process and must trick a user into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker code execution outside Chrome's renderer sandbox with high impact to confidentiality, integrity, and availability. A patched-image rebuild at 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10918 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle Chrome or Chromium as a dependency, not just official base images.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.3 HIGH (CVSS v3.1) and weighting that score against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can run the rebuild, execute a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target service or user must be reachable from an external or network-adjacent origin.
AuthenticationNot required
No credentials or account are needed; the attack is initiated by luring a user to a page the attacker controls.
Victim interactionRequired
The user must visit a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious redirect.
Attack complexityDetail
Exploitation is rated High complexity because the attacker must first have compromised the renderer process before the use-after-free can be leveraged for a sandbox escape.

Blast Radius

A successful attacker escapes the Chrome renderer sandbox and gains code execution in the context of the browser process or the host user account.
With sandbox escape achieved, the attacker reads files, credentials, and session data accessible to the browser process on the host.
The attacker can write to or modify files and browser-managed data stores on the host system.
The attacker can crash or destabilize the browser process and potentially disrupt other processes running under the same user account.

How HarborGuard Handles This

Available on HarborGuard: any image found to include Chrome below 149.0.7827.53 is flagged at CVE ingestion time, typically within minutes of the advisory going live. Where compliance policy permits, a rebuilt image at the patched version (149.0.7827.53) is made available immediately, and customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Environments that cannot upgrade immediately should consider restricting which Chrome-based images are permitted to run in production workloads via admission policy, and should monitor for renderer-process compromise indicators as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available