How is CVE-2026-10931 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No account or credential of any kind is needed; the exploit is available to any unauthenticated remote party who can reach the victim's browser. Victim interaction (required): The victim must navigate to or be redirected to the attacker's crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

What is the impact of CVE-2026-10931?

Reads sensitive data from outside the browser sandbox, including files and tokens accessible to the browser process. Writes or modifies data outside the sandbox boundary, enabling persistent changes to the host environment. Crashes or disrupts the browser process and potentially dependent host services. Full sandbox escape means subsequent attacker actions are limited only by the privileges of the browser process on the underlying host.

Back to search

CRITICALCVE-2026-10931Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10931: Use after free in FileSystem in Google Chrome prior to 149

Use after free in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in the FileSystem component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to exploit deallocated memory through a crafted HTML page. The vulnerability is reachable over the network with no authentication required, but does require the victim to visit a malicious page. Successful exploitation enables a full sandbox escape, giving the attacker read, write, and denial-of-service capability outside the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Chrome or Chromium. No manual scan trigger is needed.

Available

Triage

HarborGuard scores this issue at CVSS 9.6 (Critical) and is capable of weighting that score against each environment's compliance policy to determine urgency tier. Triage routing to the appropriate team inbox within each customer org is available out of the box.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, the platform performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No account or credential of any kind is needed; the exploit is available to any unauthenticated remote party who can reach the victim's browser.
Victim interactionRequired
The victim must navigate to or be redirected to the attacker's crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

Reads sensitive data from outside the browser sandbox, including files and tokens accessible to the browser process.
Writes or modifies data outside the sandbox boundary, enabling persistent changes to the host environment.
Crashes or disrupts the browser process and potentially dependent host services.
Full sandbox escape means subsequent attacker actions are limited only by the privileges of the browser process on the underlying host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10931 is active across all connected registries and pipelines, matching any image that bundles Chrome or Chromium below version 149.0.7827.53. Given the Critical (9.6) severity and the scope-changed, no-auth exploit path, affected images are flagged at the highest urgency tier. For customers with auto-remediation enabled, HarborGuard can rebuild the image at the fixed version, execute a regression run, and open a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit automated remediation, HarborGuard surfaces the finding with full CVSS detail and fix-version guidance so engineering teams can act manually. Customers who cannot update immediately should consider network-policy controls that restrict outbound access from workloads running the affected Chrome version, reducing the exposure window until a patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available