How is CVE-2026-10933 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the targeted host must be reachable and the victim must browse to attacker-controlled content. Authentication (not-required): No account or credentials are needed to serve the malicious HTML page to the victim. Victim interaction (required): The victim must open or be redirected to a crafted HTML page, making a social-engineering or drive-by delivery step necessary. Attack complexity (info): Exploitation is rated high complexity because it requires the renderer process to already be compromised before the use-after-free can be leveraged for a sandbox escape.

What is the impact of CVE-2026-10933?

Attacker escapes the Chrome sandbox and executes code with the privileges of the browser process on the Windows host. Confidential data accessible to the browser process (stored credentials, cookies, session tokens, local files) is exposed. Attacker can write or modify files and system state outside the sandbox, including dropping persistent malware. The browser process and dependent services can be crashed or made unavailable.

Back to search

HIGHCVE-2026-10933Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10933: Use after free in Audio in Google Chrome on Windows prior to 149

Use after free in Audio in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Audio component of Google Chrome on Windows in versions prior to 149.0.7827.53. The flaw is reachable over the network but requires victim interaction and a pre-compromised renderer process; an attacker who has already broken into the renderer can deliver a crafted HTML page to trigger the bug. Successful exploitation enables a full sandbox escape, giving the attacker high-impact access to confidentiality, integrity, and availability outside the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium runtime.

Available

Triage

HarborGuard scores this CVE at 8.3 HIGH using the published CVSS v3.1 vector and weights it further against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the targeted host must be reachable and the victim must browse to attacker-controlled content.
AuthenticationNot required
No account or credentials are needed to serve the malicious HTML page to the victim.
Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making a social-engineering or drive-by delivery step necessary.
Attack complexityDetail
Exploitation is rated high complexity because it requires the renderer process to already be compromised before the use-after-free can be leveraged for a sandbox escape.

Blast Radius

Attacker escapes the Chrome sandbox and executes code with the privileges of the browser process on the Windows host.
Confidential data accessible to the browser process (stored credentials, cookies, session tokens, local files) is exposed.
Attacker can write or modify files and system state outside the sandbox, including dropping persistent malware.
The browser process and dependent services can be crashed or made unavailable.

How HarborGuard Handles This

Available on HarborGuard: images carrying Chrome versions below 149.0.7827.53 on Windows are flagged automatically as soon as the CVE enters the ingestion pipeline. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version, executes a regression run, and opens a pull request against affected workloads; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is routed to the designated team inbox for one-click promotion. Because this vulnerability requires a pre-compromised renderer as a precondition, customers who cannot immediately update should consider network-policy controls that restrict outbound browser process connections and enforce strict Content Security Policy headers on internal web properties to reduce the renderer-compromise surface while the patch is being applied.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available