CVE-2026-10930: Out of bounds read in ANGLE in Google Chrome on Mac prior to 149
Out of bounds read in ANGLE in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds read vulnerability affects ANGLE, the graphics abstraction layer inside Google Chrome on macOS, in versions prior to 149.0.7827.53. The flaw is reachable over the network without any credentials, but requires a user to visit a crafted HTML page. A successful exploit reads memory outside the intended buffer, exposing sensitive in-process data and crashing the affected tab or renderer process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-10930 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle Google Chrome, including internal base images derived from macOS-targeting build workflows.
AvailableHarborGuard surfaces this CVE with its CVSS v3.1 score of 8.1 (HIGH), weighted against each customer environment's compliance policy to determine urgency and escalation path. Findings are routable to the team or inbox configured for the affected workload inside each customer org.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing a victim to a crafted HTML page hosted on an attacker-controlled server.
- AuthenticationNot required
No credentials or account of any kind are required; the exploit is available to any unauthenticated party who can serve a web page to the target.
- Victim interactionRequired
The target user must visit or be redirected to the attacker's crafted HTML page, requiring a social-engineering or malicious-ad delivery step.
- Attack complexityDetail
The exploit is reliable and imposes no race conditions or special environmental preconditions; a well-formed malicious page is sufficient to trigger the out-of-bounds read.
Blast Radius
- Reads memory contents from the Chrome renderer process, potentially exposing in-memory page data, cached credentials, or session tokens held by the browser.
- Crashes the affected renderer or tab process, causing a denial of service for the browsing session tied to the targeted page.
How HarborGuard Handles This
Available on HarborGuard: any image containing Google Chrome below version 149.0.7827.53 is flagged immediately upon scan, with a severity-8.1 HIGH finding routed according to each environment's compliance policy. A patched rebuild at 149.0.7827.53 is available as soon as an affected image is identified. For customers with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes, covering the full cycle of image rebuild, regression run, and PR creation against affected workloads. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced for one-click promotion.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H