How is CVE-2026-10920 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target host must be reachable via a browser session to an attacker-controlled or compromised web origin. Authentication (not-required): No account credentials or prior authentication are needed; the attack is launched from an unauthenticated web context. Victim interaction (required): A user must visit and interact with a crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Exploitation is rated high complexity because the attacker must have already compromised the Chrome renderer process before leveraging this flaw for sandbox escape.

What is the impact of CVE-2026-10920?

The attacker breaks out of Chrome's sandbox, gaining execution rights beyond the browser process on the host macOS system. With sandbox escape achieved, the attacker reads files and credentials stored outside the browser sandbox, including keychain data and session tokens accessible to the user account. The attacker writes or modifies files on the filesystem, enabling persistence mechanisms or tampering with locally stored application data. The attacker crashes or disrupts the Chrome process and potentially other user-space processes reachable under the same user context.

Back to search

HIGHCVE-2026-10920Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10920: Insufficient validation of untrusted input in WebShare in Google Chrome on Mac prior to 149

Insufficient validation of untrusted input in WebShare in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the WebShare API implementation of Google Chrome on macOS, affecting versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, though a victim must interact with a crafted HTML page and the attacker must have already compromised the renderer process. Successful exploitation allows the attacker to escape Chrome's sandbox, gaining capabilities beyond the browser process and potentially achieving full system-level code execution. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available

Triage

HarborGuard scores this CVE at 8.3 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy, then routes findings to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target host must be reachable via a browser session to an attacker-controlled or compromised web origin.
AuthenticationNot required
No account credentials or prior authentication are needed; the attack is launched from an unauthenticated web context.
Victim interactionRequired
A user must visit and interact with a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Exploitation is rated high complexity because the attacker must have already compromised the Chrome renderer process before leveraging this flaw for sandbox escape.

Blast Radius

The attacker breaks out of Chrome's sandbox, gaining execution rights beyond the browser process on the host macOS system.
With sandbox escape achieved, the attacker reads files and credentials stored outside the browser sandbox, including keychain data and session tokens accessible to the user account.
The attacker writes or modifies files on the filesystem, enabling persistence mechanisms or tampering with locally stored application data.
The attacker crashes or disrupts the Chrome process and potentially other user-space processes reachable under the same user context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10920 activates within minutes of ingestion for any image carrying a Chrome version below 149.0.7827.53 on a macOS base layer. A rebuilt image at the patched version is made available automatically. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs regression tests, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation active. Where compliance policy requires manual approval, the finding is queued with full CVSS context and routed to the appropriate team. Because sandbox escape primitives of this class carry significant post-exploitation reach, treating this as a priority patch candidate is advisable regardless of auto-remediation settings.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available