How is CVE-2026-10959 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim's Chrome browser to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No account, credential, or session token is required; any user browsing to the malicious page is a viable target. Victim interaction (required): The victim must visit the attacker-crafted HTML page, making this a social-engineering vector that requires the victim to take an action such as clicking a link. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

What is the impact of CVE-2026-10959?

The attacker executes arbitrary code inside the Chrome renderer sandbox on the victim's Android device, gaining control over the browser process. Confidential data accessible to the browser, including stored credentials, session cookies, and page content from other origins, can be read. The attacker can modify or inject content into pages rendered by the compromised process, enabling in-browser data tampering. If combined with a sandbox-escape primitive, the attacker can extend access beyond the browser to the underlying Android OS process context.

Back to search

HIGHCVE-2026-10959Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10959: Use after free in Input in Google Chrome on Android prior to 149

Use after free in Input in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Input component of Google Chrome for Android (versions before 149.0.7827.53) allows a remote attacker to execute arbitrary code inside the browser sandbox by serving a crafted HTML page. The attacker operates over the network and requires no authentication, but does need the victim to visit a malicious page. Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, enabling data access, content tampering, and potential sandbox-escape chaining. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10959 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both connected registries and CI/CD pipelines, including custom-built Android or Chrome-bundling images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 becomes available on HarborGuard the moment the fix is confirmed in the upstream package feed. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim's Chrome browser to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No account, credential, or session token is required; any user browsing to the malicious page is a viable target.
Victim interactionRequired
The victim must visit the attacker-crafted HTML page, making this a social-engineering vector that requires the victim to take an action such as clicking a link.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

The attacker executes arbitrary code inside the Chrome renderer sandbox on the victim's Android device, gaining control over the browser process.
Confidential data accessible to the browser, including stored credentials, session cookies, and page content from other origins, can be read.
The attacker can modify or inject content into pages rendered by the compromised process, enabling in-browser data tampering.
If combined with a sandbox-escape primitive, the attacker can extend access beyond the browser to the underlying Android OS process context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10959 is active across all connected registries and pipelines, matching any image that bundles an affected Chrome for Android build (versions before 149.0.7827.53). A patched-image rebuild at 149.0.7827.53 is available once the upstream package is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the finding is queued with the CVSS 8.8 score and full vector detail for reviewer action. Customers not yet on auto-remediation are encouraged to prioritize this issue given the zero-authentication, network-reachable exploit path and the concrete code-execution impact within the browser process.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available