How is CVE-2026-10921 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the victim's browser must be able to reach a remote attacker-controlled page. Authentication (not-required): No account or credentials are needed; any anonymous visitor can be targeted. Victim interaction (required): The victim must navigate to or be social-engineered into loading a crafted HTML page in the affected browser. Attack complexity (info): Exploitation is rated high complexity because the attacker must first have compromised the renderer process before the integer overflow can be used for sandbox escape, introducing a meaningful pre-condition.

What is the impact of CVE-2026-10921?

An attacker who succeeds reads arbitrary files and data accessible to the browser process on the host, bypassing the sandbox boundary. The attacker can write or modify data on the host filesystem outside the sandbox, including user profile data and credentials stored on disk. The attacker gains code execution in the context of the host process, enabling installation of persistent malware or further lateral movement. The host process and dependent services can be crashed or rendered unavailable, disrupting the user's session and any locally running services.

Back to search

HIGHCVE-2026-10921Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10921: Integer overflow in Dawn in Google Chrome prior to 149

Integer overflow in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in Dawn, the WebGPU implementation inside Google Chrome, allows a remote attacker who has already compromised the Chrome renderer process to escape the browser sandbox. The vulnerability is reachable over the network and requires the victim to visit a crafted HTML page, though no authentication is needed. Successful exploitation gives the attacker code execution outside the renderer sandbox, enabling full read, write, and disruption of data on the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10921 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium. Images running any Chrome version below 149.0.7827.53 are flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.3 (HIGH) and weights that score against each environment's configured compliance policy, so teams with stricter sandbox-escape sensitivity receive elevated-priority alerts. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available through HarborGuard once the fix version is confirmed in the upstream advisory. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to reach a remote attacker-controlled page.
AuthenticationNot required
No account or credentials are needed; any anonymous visitor can be targeted.
Victim interactionRequired
The victim must navigate to or be social-engineered into loading a crafted HTML page in the affected browser.
Attack complexityDetail
Exploitation is rated high complexity because the attacker must first have compromised the renderer process before the integer overflow can be used for sandbox escape, introducing a meaningful pre-condition.

Blast Radius

An attacker who succeeds reads arbitrary files and data accessible to the browser process on the host, bypassing the sandbox boundary.
The attacker can write or modify data on the host filesystem outside the sandbox, including user profile data and credentials stored on disk.
The attacker gains code execution in the context of the host process, enabling installation of persistent malware or further lateral movement.
The host process and dependent services can be crashed or rendered unavailable, disrupting the user's session and any locally running services.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below version 149.0.7827.53 are detected and flagged the moment CVE-2026-10921 enters the upstream feed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at the patched version, executes the configured regression test suite, and opens a pull request against the affected workload; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, the finding is queued for manual review with full CVSS context, affected image list, and recommended fix version attached.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available