How is CVE-2026-10962 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the user browses to an attacker-controlled or compromised URL. Authentication (not-required): No credentials or account access are needed; any unauthenticated remote attacker can serve the malicious HTML page. Victim interaction (required): The user must visit a crafted HTML page, meaning the attacker must direct or trick the target into opening the malicious URL. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special race conditions or environmental prerequisites on the attacker.

What is the impact of CVE-2026-10962?

Arbitrary code executes inside the Chrome renderer sandbox, giving the attacker control over the sandboxed process. The attacker reads all data accessible within the compromised renderer, including page content, session cookies, and stored credentials exposed to the process. The attacker can modify in-memory page state and inject content, potentially altering what the user sees or submitting requests on their behalf. A successful sandbox escape chained onto this vulnerability would extend access to the underlying host operating system and its files.

Back to search

HIGHCVE-2026-10962Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10962: Type Confusion in Media in Google Chrome prior to 149

Type Confusion in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A type confusion vulnerability in the Media component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the browser sandbox by convincing a user to visit a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, only a single user interaction such as clicking a malicious link or visiting an attacker-controlled page. Successful exploitation gives the attacker code execution within the Chrome sandbox, which combined with a sandbox escape could lead to full system compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection for CVE-2026-10962 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Chrome or Chromium. Any image in a customer registry or CI pipeline containing a vulnerable Chrome version is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and surfaces it with priority weighting applied by each customer's compliance policy. Findings are routed to the appropriate team inbox based on the owning environment, workload labels, and policy configuration within each customer org.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 becomes available on HarborGuard once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the user browses to an attacker-controlled or compromised URL.
AuthenticationNot required
No credentials or account access are needed; any unauthenticated remote attacker can serve the malicious HTML page.
Victim interactionRequired
The user must visit a crafted HTML page, meaning the attacker must direct or trick the target into opening the malicious URL.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special race conditions or environmental prerequisites on the attacker.

Blast Radius

Arbitrary code executes inside the Chrome renderer sandbox, giving the attacker control over the sandboxed process.
The attacker reads all data accessible within the compromised renderer, including page content, session cookies, and stored credentials exposed to the process.
The attacker can modify in-memory page state and inject content, potentially altering what the user sees or submitting requests on their behalf.
A successful sandbox escape chained onto this vulnerability would extend access to the underlying host operating system and its files.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-10962 is matched against all images in customer registries and pipelines within minutes of advisory publication, covering any image that bundles Chrome or Chromium below version 149.0.7827.53. A patched-image rebuild at 149.0.7827.53 is available for affected environments. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the fixed version, runs a regression test suite, and opens a pull request against affected workloads. For HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy restricts automated changes, the finding is routed to the designated team inbox with full CVSS context and remediation guidance so that a manual upgrade can be prioritized.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available