How is CVE-2026-10925 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a remotely hosted crafted HTML page. Authentication (not-required): No account or credentials on the target system are needed to initiate the attack. Victim interaction (required): The victim must visit a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious redirect. Attack complexity (info): Attack complexity is HIGH, meaning the attacker must first have compromised the Chrome renderer process before this out-of-bounds write can be used for sandbox escape, introducing a meaningful prerequisite beyond simply serving a page.

What is the impact of CVE-2026-10925?

Reads sensitive data accessible to the Chrome process, including stored credentials, session tokens, and local profile data, after escaping the sandbox. Modifies files and system state on the host outside the browser sandbox boundary. Disrupts or crashes host-level processes by writing to arbitrary memory locations outside permitted ranges. Gains a foothold on the macOS host that can be used for further lateral movement or persistence within the container or system environment.

Back to search

HIGHCVE-2026-10925Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10925: Out of bounds write in Skia in Google Chrome on Mac prior to 149

Out of bounds write in Skia in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability in Skia, the graphics rendering library bundled with Google Chrome on macOS, affects all Chrome versions before 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require the attacker to have already compromised the Chrome renderer process and to trick a user into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker code execution outside the browser sandbox with access to the underlying host system. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium on macOS base layers.

Available

Triage

HarborGuard scores this issue at CVSS 8.3 (HIGH) using the published v3.1 vector and can weight that score against each customer organization's compliance policy to prioritize routing and escalation to the appropriate team inbox.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a remotely hosted crafted HTML page.
AuthenticationNot required
No account or credentials on the target system are needed to initiate the attack.
Victim interactionRequired
The victim must visit a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious redirect.
Attack complexityDetail
Attack complexity is HIGH, meaning the attacker must first have compromised the Chrome renderer process before this out-of-bounds write can be used for sandbox escape, introducing a meaningful prerequisite beyond simply serving a page.

Blast Radius

Reads sensitive data accessible to the Chrome process, including stored credentials, session tokens, and local profile data, after escaping the sandbox.
Modifies files and system state on the host outside the browser sandbox boundary.
Disrupts or crashes host-level processes by writing to arbitrary memory locations outside permitted ranges.
Gains a foothold on the macOS host that can be used for further lateral movement or persistence within the container or system environment.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome on macOS base layers are automatically matched against CVE-2026-10925 within minutes of advisory ingestion. Where a customer's registry or pipeline includes an affected Chrome version (below 149.0.7827.53), a rebuilt image at the patched version is made available. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression test run against the updated image, and opens a pull request targeting affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Customers who manage patching manually will see the affected image flagged in their dashboard with the fix version and affected layer clearly identified. Where compliance policy or environment constraints delay patching, compensating controls such as network-policy rules that restrict access to untrusted web content and egress filtering on affected container workloads are worth considering as interim measures.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available