CVE-2026-10936: Type Confusion in V8 in Google Chrome prior to 149
Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A type confusion vulnerability in V8, the JavaScript engine embedded in Google Chrome prior to version 149.0.7827.53, allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a victim to a crafted HTML page. The attack is reachable over the network and requires no authentication, but does require the victim to visit a malicious page. Successful exploitation gives the attacker code execution within the Chrome sandbox, which combined with a sandbox escape could lead to full compromise of the browser process. A patched-image rebuild at 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection capability for CVE-2026-10936 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard surfaces this CVE with its CVSS v3.1 score of 8.8 (HIGH) and applies per-environment compliance policy weighting to determine urgency and route findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available for any environment HarborGuard identifies as running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to reach the attacker-controlled or compromised HTML page.
- AuthenticationNot required
No account or credentials are needed on any system; the attacker only needs to get the victim to load a crafted page.
- Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.
Blast Radius
- The attacker gains arbitrary code execution within the Chrome renderer sandbox, enabling full control over JavaScript engine state and rendered content.
- Confidential data processed in the browser context, including session tokens, form inputs, and displayed page content, is readable by the attacker.
- The attacker can modify in-browser data, inject content into pages, and redirect user actions without the victim's awareness.
- Availability of the affected browser tab or process is disrupted; a renderer crash or forced termination is within the attacker's reach.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-10936 is active the moment the CVE enters upstream feeds, and any customer image containing a Chrome or Chromium binary below 149.0.7827.53 is flagged automatically. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs regression tests, and opens a PR against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated changes, the finding is routed to the designated team inbox with remediation guidance to upgrade to 149.0.7827.53 or later.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H