How is CVE-2026-10955 exploited?

Network reachability (required): The attacker must serve a crafted HTML page to the victim over the network, so the Chrome process must be reachable in a browsing context exposed to attacker-controlled content. Authentication (not-required): No account or credential is needed; any unauthenticated remote attacker who can deliver a link or embed content can trigger the vulnerability. Victim interaction (required): The victim must open or be redirected to the attacker-crafted HTML page in an affected Chrome instance, making this a social-engineering or malicious-ad delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race condition, specific memory layout, or other environmental precondition beyond the victim visiting the page.

What is the impact of CVE-2026-10955?

Reads arbitrary memory from the Chrome renderer process, exposing stored credentials, session tokens, and page content from other open tabs. Writes to out-of-bounds memory regions, allowing the attacker to corrupt browser state or inject data into the running process. Crashes the affected Chrome process, denying browser availability to the victim for the duration of exploitation or as a side effect of a failed payload. Combined high confidentiality, integrity, and availability impact means a reliable exploit can chain these primitives toward full renderer compromise.

Back to search

HIGHCVE-2026-10955Published 2026-06-04Modified 2026-06-06CNA Chrome

CVE-2026-10955: Type Confusion in ANGLE in Google Chrome on Windows prior to 149

Type Confusion in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A type confusion vulnerability in ANGLE, the graphics translation layer used by Google Chrome on Windows, allows a remote attacker to trigger out-of-bounds memory access by serving a crafted HTML page. The attack is reachable over the network, requires no authentication, but does require the victim to visit a malicious page in an affected browser. Successful exploitation gives the attacker read, write, and crash primitives over the browser process, enabling data theft, content tampering, or denial of service. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10955 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle or distribute Chrome on Windows base layers.

Available

Triage

Triage is available with the CVSS 3.1 score of 8.8 (HIGH) applied automatically; per-environment compliance policy weighting can escalate or suppress routing, and the finding is delivered to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard as soon as the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must serve a crafted HTML page to the victim over the network, so the Chrome process must be reachable in a browsing context exposed to attacker-controlled content.
AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker who can deliver a link or embed content can trigger the vulnerability.
Victim interactionRequired
The victim must open or be redirected to the attacker-crafted HTML page in an affected Chrome instance, making this a social-engineering or malicious-ad delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race condition, specific memory layout, or other environmental precondition beyond the victim visiting the page.

Blast Radius

Reads arbitrary memory from the Chrome renderer process, exposing stored credentials, session tokens, and page content from other open tabs.
Writes to out-of-bounds memory regions, allowing the attacker to corrupt browser state or inject data into the running process.
Crashes the affected Chrome process, denying browser availability to the victim for the duration of exploitation or as a side effect of a failed payload.
Combined high confidentiality, integrity, and availability impact means a reliable exploit can chain these primitives toward full renderer compromise.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-10955 is matched against any image that packages or distributes Google Chrome on Windows base layers, with results surfaced within minutes of CVE publication. For environments running an affected Chrome version below 149.0.7827.53, a rebuilt image at the fix version is available immediately. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding appears in the HarborGuard dashboard with fix-version guidance and a direct link to the upstream Chromium advisory so the responsible team can act manually.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available