CVE-2026-10942: Inappropriate implementation in UI in Google Chrome on Windows prior to 149
Inappropriate implementation in UI in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An inappropriate UI implementation in Google Chrome on Windows (versions before 149.0.7827.53) allows a local attacker to escalate privileges by convincing a user to open a malicious file. The attack requires no prior authentication but does require the victim to interact with a crafted file, and exploitation succeeds reliably without special environmental conditions. Successful exploitation gives the attacker full read, write, and execution control over the affected system. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-10942 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle Google Chrome on Windows base layers.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to route findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required.
- AuthenticationNot required
No account or credential is needed before launching the attack; any unauthenticated local presence is sufficient.
- Victim interactionRequired
The victim must open or interact with a malicious file, making this a social-engineering vector that requires the attacker to deliver the file to a local user.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or other environmental factors need to align.
Blast Radius
- Reads sensitive files, stored credentials, browser session tokens, and other protected data on the host.
- Modifies or overwrites files and system configuration, enabling persistence or sabotage.
- Executes arbitrary code at an elevated privilege level, giving the attacker control over the affected Windows host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-10942 is active across all customer registries and CI pipelines, matching any image that bundles a pre-149.0.7827.53 Chrome binary on a Windows layer. A patched rebuild at 149.0.7827.53 is available for affected images. Where compliance policy permits auto-remediation, HarborGuard can complete the rebuild, run regression tests, and open a pull request against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Organizations that cannot immediately rebuild should consider restricting file-open handlers, applying Windows AppLocker or WDAC policies to limit Chrome's privilege scope, and auditing local user permissions as a compensating control while the patched image is staged for deployment.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H