How is CVE-2026-10953 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely. Authentication (not-required): No account or credentials are required; the attacker interacts with the browser as any anonymous remote party. Victim interaction (required): The victim must visit a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious redirect. Attack complexity (info): Attack complexity is high, meaning the attacker must have already compromised the renderer process before the use-after-free primitive can be used to escape the sandbox.

What is the impact of CVE-2026-10953?

A successful attacker escapes the Chrome sandbox and gains execution context with privileges beyond the renderer, able to read sensitive data stored on the device including session tokens and personal files. The attacker can write to or modify data accessible outside the sandbox, including application storage and potentially system-level resources. The attacker can crash or destabilize services running outside the Chrome sandbox, causing denial of availability. Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser process itself to other components on the Android device.

Back to search

HIGHCVE-2026-10953Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10953: Use after free in Core in Google Chrome on Android prior to 149

Use after free in Core in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Core component of Google Chrome for Android affects all versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but the attacker must have already compromised the renderer process and must trick a victim into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker capabilities beyond the Chrome sandbox including access to confidential data, modification of data, and disruption of availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10953 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built Android-targeting images. Coverage extends to images in both connected registries and active CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (HIGH) and weighting it against each environment's compliance policy to determine breach-threshold status. Triage routing to the appropriate team inbox within each customer org is available based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard will rebuild the image, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely.
AuthenticationNot required
No account or credentials are required; the attacker interacts with the browser as any anonymous remote party.
Victim interactionRequired
The victim must visit a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious redirect.
Attack complexityDetail
Attack complexity is high, meaning the attacker must have already compromised the renderer process before the use-after-free primitive can be used to escape the sandbox.

Blast Radius

A successful attacker escapes the Chrome sandbox and gains execution context with privileges beyond the renderer, able to read sensitive data stored on the device including session tokens and personal files.
The attacker can write to or modify data accessible outside the sandbox, including application storage and potentially system-level resources.
The attacker can crash or destabilize services running outside the Chrome sandbox, causing denial of availability.
Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser process itself to other components on the Android device.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10953 is active across customer registries and pipelines, matching images against the affected Chrome version range on ingestion. Because this is a HIGH-severity issue with a known fix, a rebuilt image at Chrome 149.0.7827.53 becomes available for scanning environments that include Android Chrome base images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and associated diff are queued for reviewer action without any automated merge.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available