How is CVE-2026-10946 exploited?

Network reachability (required): The attacker must deliver a crafted HTML page to the victim over the network, meaning the Chrome instance must be reachable by or directed to attacker-controlled web content. Authentication (not-required): No account or credential is required on the attacker's side; any unauthenticated remote party can serve the malicious page. Victim interaction (required): The attacker must convince the target user to perform specific UI gestures on the crafted page, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is rated High, meaning the exploit depends on environmental or timing conditions beyond the attacker's direct control, such as specific media-processing state or memory layout inside Chrome.

What is the impact of CVE-2026-10946?

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control over the sandboxed process. Reads memory contents accessible within the sandbox, which may include cached page data, session tokens, or in-memory credentials. Modifies in-process state or on-disk resources writable by the sandboxed renderer, potentially corrupting browser storage or injecting content. Crashes or hangs the affected Chrome renderer process, disrupting the user's browsing session.

Back to search

HIGHCVE-2026-10946Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10946: Heap buffer overflow in Media in Google Chrome prior to 149

Heap buffer overflow in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap buffer overflow vulnerability exists in the Media component of Google Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network but requires the attacker to trick a user into performing specific UI gestures on a crafted HTML page, and no authentication is needed on the attacker's side. Successful exploitation allows the attacker to execute arbitrary code inside the Chrome sandbox, combining full confidentiality, integrity, and availability impact within that sandbox context. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10946 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication, including custom-built images that bundle Chrome or Chromium. Coverage extends to both pinned and floating base-image tags that pull an affected Chrome version.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 severity of 7.5 (HIGH) and weighting that score against each environment's compliance policy before routing findings to the appropriate team inbox within the customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver a crafted HTML page to the victim over the network, meaning the Chrome instance must be reachable by or directed to attacker-controlled web content.
AuthenticationNot required
No account or credential is required on the attacker's side; any unauthenticated remote party can serve the malicious page.
Victim interactionRequired
The attacker must convince the target user to perform specific UI gestures on the crafted page, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is rated High, meaning the exploit depends on environmental or timing conditions beyond the attacker's direct control, such as specific media-processing state or memory layout inside Chrome.

Blast Radius

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control over the sandboxed process.
Reads memory contents accessible within the sandbox, which may include cached page data, session tokens, or in-memory credentials.
Modifies in-process state or on-disk resources writable by the sandboxed renderer, potentially corrupting browser storage or injecting content.
Crashes or hangs the affected Chrome renderer process, disrupting the user's browsing session.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-10946 is active for any image that packages Google Chrome below version 149.0.7827.53, matched within minutes of the advisory entering upstream feeds. Where a customer's compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at the fixed version (149.0.7827.53), execute a regression run against the rebuilt image, and open a pull request targeting affected workloads. For high-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the finding surfaced in their HarborGuard dashboard with the fix version pre-populated. Until a rebuild is confirmed deployed, consider network-policy controls that restrict which hosts Chrome-containing workloads can reach, reducing the attacker's ability to deliver a crafted page to the vulnerable component.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available