HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10922Published Modified CNA Chrome

CVE-2026-10922: Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via malicious network traffic. (Chromium security severity: High)

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the DevTools component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to bypass the same-origin policy, a browser security boundary that prevents one site from reading data from another. The attack is reachable over the network but requires the attacker to trick a user into performing specific UI gestures, such as clicking through a crafted web page. Successful exploitation gives the attacker full read, write, and crash capabilities against the affected browsing context, enabling data theft, content tampering, and denial of service. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10922 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or ship Google Chrome. Any image carrying a Chrome version below 149.0.7827.53 will surface as affected.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 (High) and is capable of weighting that score against each environment's compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox within each customer organization based on configured policy.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network; the target Chrome instance must be reachable via normal internet browsing.

  • AuthenticationNot required

    No account or credential is needed; the attacker only needs the victim to visit or interact with a malicious page.

  • Victim interactionRequired

    The victim must perform specific UI gestures (for example, clicking elements on a crafted page) as directed by the attacker, making social engineering a necessary part of the attack.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond getting the victim to interact.

Blast Radius

  • A successful attacker reads data from origins the victim is authenticated to, including session tokens, cookies, and page content that same-origin policy would normally protect.
  • The attacker can write or modify content in the context of affected origins, enabling credential harvesting, form hijacking, or injecting malicious scripts.
  • The attacker can crash or hang the affected browser process, disrupting the user's session and any active workloads running in that context.
  • All three impact dimensions (confidentiality, integrity, availability) are rated High, meaning the attacker gains full effective control over the compromised browsing context.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below version 149.0.7827.53 are flagged as soon as the CVE is ingested, typically within minutes of publication. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the affected image at the patched version (149.0.7827.53), executing a regression test run, and opening a pull request against affected workloads; for High-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the flagged finding is routed to the appropriate team inbox so engineers can manually trigger the rebuild workflow. Customers who cannot immediately update are encouraged to apply network-policy controls that restrict access to untrusted web content from environments where Chrome is embedded, and to consider feature-flag gating on DevTools exposure where the runtime permits.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References