CVE-2026-10927: Out of bounds read in Dawn in Google Chrome prior to 149
Out of bounds read in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.3
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds read vulnerability exists in Dawn, the WebGPU backend used by Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but an attacker must first compromise the Chrome renderer process and persuade a victim to open a crafted HTML page. Successful exploitation enables a sandbox escape, granting the attacker capabilities beyond the browser sandbox including read access to sensitive data, the ability to tamper with files or system state, and potential full code execution. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium. Any image shipping a Chrome version below 149.0.7827.53 is flagged automatically.
AvailableHarborGuard scores this CVE at 8.3 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and ownership. Triage findings are routed to the appropriate team inbox within each customer organization based on policy-configured severity thresholds.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the resulting image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable or the attacker must serve content across the internet or an internal network segment.
- AuthenticationNot required
No account or credential is needed; the attack is initiated by persuading any unauthenticated user to visit a malicious page.
- Victim interactionRequired
The victim must open a crafted HTML page in an affected Chrome version, making this a social-engineering-dependent attack requiring at least one user action.
- Attack complexityDetail
Exploitation is rated high complexity because the attacker must already have compromised the Chrome renderer process before the out-of-bounds read can be leveraged for a sandbox escape, introducing a meaningful prerequisite condition.
Blast Radius
- A successful attacker escapes the Chrome sandbox, breaking the isolation boundary that normally confines renderer-process code.
- With sandbox escape achieved, the attacker reads files and data accessible to the browser process on the host, including stored credentials, cookies, and local user files.
- The attacker can modify files or system configuration within the scope of the compromised user account.
- Full disruption of the browser process and dependent services on the host is achievable through the same code-execution primitive.
How HarborGuard Handles This
Available on HarborGuard: any image bundling Google Chrome below 149.0.7827.53 is detected automatically within minutes of CVE ingestion, scored at 8.3 HIGH, and surfaced in the relevant team inbox according to each organization's compliance policy. A rebuilt image pinned to the fixed version 149.0.7827.53 becomes available as soon as the upstream package is resolvable. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes the configured regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the rebuild is queued and available for manual promotion once an authorized reviewer approves the change.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H