How is CVE-2026-10919 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable or the user must browse to an attacker-controlled origin. Authentication (not-required): No account credentials or prior session are needed; the attacker only requires the ability to serve content to the victim's browser. Victim interaction (required): The victim must visit or be redirected to a crafted HTML page, making a social-engineering or malicious-link delivery step necessary before the exploit can trigger. Attack complexity (info): Attack complexity is rated High, meaning the attacker must have already compromised the renderer process as a prerequisite, which introduces an additional exploit stage before the sandbox escape can succeed.

What is the impact of CVE-2026-10919?

Reads sensitive data from outside the renderer sandbox, including stored credentials, cookies, and files accessible to the browser process. Modifies data or injects code in the context of the browser process, bypassing Chrome's sandbox isolation. Crashes or destabilizes the browser process, causing a denial of service for the affected session. Gains arbitrary code execution at the privilege level of the Chrome browser process, enabling further lateral movement on the host.

Back to search

HIGHCVE-2026-10919Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10919: Use after free in ANGLE in Google Chrome prior to 149

Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in ANGLE, the graphics abstraction layer embedded in Google Chrome versions prior to 149.0.7827.53, allows a remote attacker who has already compromised the Chrome renderer process to escape the browser sandbox by delivering a crafted HTML page. The flaw is reachable over the network and requires the victim to interact with attacker-controlled content, though no authentication is needed. Successful exploitation gives the attacker full read, write, and availability impact outside the renderer sandbox, effectively breaking Chrome's primary containment layer. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-10919 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium runtime.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (HIGH) and weighting it further against each customer's per-environment compliance policy, then routing findings to the appropriate team inbox within the customer org based on image ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers who have opted into auto-remediation, HarborGuard can execute the rebuild, run the configured regression suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable or the user must browse to an attacker-controlled origin.
AuthenticationNot required
No account credentials or prior session are needed; the attacker only requires the ability to serve content to the victim's browser.
Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, making a social-engineering or malicious-link delivery step necessary before the exploit can trigger.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must have already compromised the renderer process as a prerequisite, which introduces an additional exploit stage before the sandbox escape can succeed.

Blast Radius

Reads sensitive data from outside the renderer sandbox, including stored credentials, cookies, and files accessible to the browser process.
Modifies data or injects code in the context of the browser process, bypassing Chrome's sandbox isolation.
Crashes or destabilizes the browser process, causing a denial of service for the affected session.
Gains arbitrary code execution at the privilege level of the Chrome browser process, enabling further lateral movement on the host.

How HarborGuard Handles This

Available on HarborGuard: images containing a Chrome or Chromium runtime below version 149.0.7827.53 are flagged automatically when they appear in a connected registry or pipeline, using feed ingestion that typically completes within minutes of CVE publication. A rebuild at the fixed version is available immediately upon detection. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image, execute the configured regression tests, and open a pull request against the affected workload; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated changes, the finding is routed to the designated team inbox with full CVSS context and a direct reference to the upstream fix so engineers can act without additional research.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available