How is CVE-2026-10926 exploited?

Network reachability (info): The attacker must be present on the same local network segment, LAN, or VPN as the target; remote internet-based exploitation is not possible with this vector. Authentication (not-required): No credentials or account of any privilege level are needed to send the malicious network traffic that triggers the vulnerability. Victim interaction (not-required): The exploit is delivered entirely through network traffic; no action by the browser user is required. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, specific memory layout, or environmental configuration are required beyond network adjacency.

What is the impact of CVE-2026-10926?

An attacker achieves arbitrary code execution inside the Chrome process on the victim host. Confidentiality impact is complete: the attacker reads browser session tokens, stored credentials, cookies, and any data accessible to the Chrome process. Integrity impact is complete: the attacker writes or modifies files and data accessible to the Chrome process, including browser profile data and downloaded files. Availability impact is complete: the attacker can crash or hang the browser process or consume host resources.

Back to search

HIGHCVE-2026-10926Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10926: Use after free in Cast in Google Chrome prior to 149

Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Cast component of Google Chrome (versions prior to 149.0.7827.53) allows an unauthenticated attacker on the same local network segment to execute arbitrary code by sending malicious network traffic to an affected browser. No user interaction and no account credentials are required. Successful exploitation gives the attacker full code execution inside the Chrome process, enabling data theft, system compromise, or further lateral movement. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected Chrome version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10926 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome or Chromium. Any image in a connected registry or CI pipeline carrying a pre-149.0.7827.53 Chrome build is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (High) and surfaces it accordingly in each customer org's triage queue, weighted against that environment's compliance policy. Routing rules direct the finding to the team or inbox responsible for browser-layer dependencies in each environment.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard the moment the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a PR against the affected workload automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be present on the same local network segment, LAN, or VPN as the target; remote internet-based exploitation is not possible with this vector.
AuthenticationNot required
No credentials or account of any privilege level are needed to send the malicious network traffic that triggers the vulnerability.
Victim interactionNot required
The exploit is delivered entirely through network traffic; no action by the browser user is required.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, specific memory layout, or environmental configuration are required beyond network adjacency.

Blast Radius

An attacker achieves arbitrary code execution inside the Chrome process on the victim host.
Confidentiality impact is complete: the attacker reads browser session tokens, stored credentials, cookies, and any data accessible to the Chrome process.
Integrity impact is complete: the attacker writes or modifies files and data accessible to the Chrome process, including browser profile data and downloaded files.
Availability impact is complete: the attacker can crash or hang the browser process or consume host resources.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome prior to 149.0.7827.53 are matched against this CVE within minutes of publication and flagged at High severity (CVSS 8.8) in each customer org's finding queue. A patched-image rebuild pinned to 149.0.7827.53 is available for any affected image in a connected registry. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not permitted by compliance policy, the finding is routed to the appropriate team with remediation guidance to update the Chrome or Chromium layer to 149.0.7827.53 or later.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available