How is CVE-2026-10947 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing or luring a victim to a crafted HTML page hosted remotely. Authentication (not-required): No account credentials or prior authentication to any service are needed to carry out the attack. Victim interaction (required): A victim must visit a crafted HTML page, making this a social-engineering-dependent attack requiring at least one deliberate or induced browser action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-10947?

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control over the renderer process. Reads sensitive data accessible to the renderer, including page content, cookies scoped to the current session, and in-memory credentials. Modifies page state and behavior in ways that can facilitate further exploitation or credential theft against the active user session. Crashes or destabilizes the affected renderer process, disrupting the user's browsing session.

Back to search

HIGHCVE-2026-10947Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10947: Use after free in WebRTC in Google Chrome prior to 149

Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the WebRTC component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network without authentication, but requires a victim to visit a crafted HTML page. Successful exploitation allows a remote attacker to execute arbitrary code inside the Chrome renderer sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10947 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle Chrome or Chromium as a dependency.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH using the CVSS v3.1 vector, weighted further against each customer organization's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard can trigger an automated rebuild, run a regression test suite against the new image, and open a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing or luring a victim to a crafted HTML page hosted remotely.
AuthenticationNot required
No account credentials or prior authentication to any service are needed to carry out the attack.
Victim interactionRequired
A victim must visit a crafted HTML page, making this a social-engineering-dependent attack requiring at least one deliberate or induced browser action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control over the renderer process.
Reads sensitive data accessible to the renderer, including page content, cookies scoped to the current session, and in-memory credentials.
Modifies page state and behavior in ways that can facilitate further exploitation or credential theft against the active user session.
Crashes or destabilizes the affected renderer process, disrupting the user's browsing session.

How HarborGuard Handles This

Available on HarborGuard: detection and remediation capabilities for CVE-2026-10947 are active across customer environments without manual configuration. For environments running Chrome versions below 149.0.7827.53, a rebuild against the fixed version is available immediately. Customers with auto-remediation enabled receive an automated rebuild, a regression test run against the patched image, and a pull request opened against affected workloads; for high-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, HarborGuard queues the finding for engineer review with full CVSS context and affected image inventory attached. Because this exploit requires victim interaction via a browser, teams shipping container images that bundle Chrome or Chromium should treat this as a high-priority update given the low attack complexity and unauthenticated remote exposure.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available