How is CVE-2026-10935 exploited?

Network reachability (required): The attacker delivers the exploit over the network by hosting a crafted HTML page that the victim's browser fetches remotely. Authentication (not-required): No account or credential is needed; any unauthenticated user who visits the malicious page is at risk. Victim interaction (required): The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-10935?

The attacker executes arbitrary code within the Chrome renderer sandbox, gaining control over the sandboxed process. Confidential data processed by the browser, including session tokens, saved credentials, and page content, is exposed to the attacker. The attacker can modify in-browser state and interact with web origins the victim is authenticated to, enabling data tampering through the browser. A successful sandbox escape following initial compromise would give the attacker full access to the host user account and its files.

Back to search

HIGHCVE-2026-10935Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10935: Type Confusion in V8 in Google Chrome prior to 149

Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A type confusion vulnerability in V8, the JavaScript engine embedded in Google Chrome, allows a remote attacker to execute arbitrary code inside the browser sandbox by tricking a user into visiting a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, but does require the victim to open a malicious page. Successful exploitation gives the attacker code execution within the Chrome sandbox, which can serve as a stepping stone to full system compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium as a dependency.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and applies per-environment compliance policy weighting to prioritize routing; findings are delivered to the inbox or ticketing integration configured for each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available through HarborGuard once the fix version is detected upstream. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by hosting a crafted HTML page that the victim's browser fetches remotely.
AuthenticationNot required
No account or credential is needed; any unauthenticated user who visits the malicious page is at risk.
Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

The attacker executes arbitrary code within the Chrome renderer sandbox, gaining control over the sandboxed process.
Confidential data processed by the browser, including session tokens, saved credentials, and page content, is exposed to the attacker.
The attacker can modify in-browser state and interact with web origins the victim is authenticated to, enabling data tampering through the browser.
A successful sandbox escape following initial compromise would give the attacker full access to the host user account and its files.

How HarborGuard Handles This

Available on HarborGuard: detection of this vulnerability is matched against every customer image that includes Chrome or Chromium components, with results surfaced within minutes of the CVE entering upstream feeds. For environments running a Chrome version below 149.0.7827.53, a patched rebuild is available at the fix version. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image, runs regression tests, and opens a pull request against impacted workloads; for high-severity issues, the median time from publication to a merged patch PR is around 90 minutes. Customers who manage remediation manually can act on the finding routed to their configured inbox or ticketing system, using the fix version (149.0.7827.53) as the upgrade target.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available