CVE-2026-10943: Use after free in WebRTC in Google Chrome prior to 149
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the WebRTC component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the browser sandbox. The attack is reachable over the network and requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, which is a prerequisite for further sandbox-escape chains. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-10943 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard scores this CVE at 8.8 HIGH using the recorded CVSS v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to route findings to the appropriate team inbox.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 becomes available for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the malicious HTML page over the network, so the target service or user must be reachable from the internet or an adjacent network segment.
- AuthenticationNot required
No account or credential is needed; any anonymous visitor who loads the crafted page is a valid target.
- Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- The attacker gains arbitrary code execution inside the Chrome renderer sandbox, enabling full control over the sandboxed process.
- Confidential data processed or displayed in the browser context, including session tokens, page contents, and form input, becomes readable to the attacker.
- The attacker can modify data within the sandboxed process, including intercepting or altering in-flight network requests made by the tab.
- The sandboxed process can be crashed or held hostage, disrupting availability of the browser session for the affected user.
How HarborGuard Handles This
Available on HarborGuard: detection of this vulnerability is matched against all customer images within minutes of CVE publication, covering both upstream Chrome base images and any custom images that bundle a Chromium binary. For environments running Chrome prior to 149.0.7827.53, a patched-image rebuild at the fix version is available. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, execute a regression test run, and open a pull request against affected workloads automatically. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and associated findings are queued and routed to the designated team inbox for review.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H