CVE-2026-10963: Integer overflow in V8 in Google Chrome prior to 149
Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An integer overflow in V8, the JavaScript engine embedded in Google Chrome, affects all versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but a victim must visit a crafted HTML page; once triggered, it allows a remote attacker to execute arbitrary code inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-10963 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium runtime.
AvailableHarborGuard scores this CVE at 8.8 HIGH using the provided CVSS v3.1 vector, and per-environment compliance policy weighting is applied automatically to route findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable by directing the victim to an attacker-controlled or compromised URL.
- AuthenticationNot required
No account or credential is needed; any unauthenticated remote party can serve the malicious page.
- Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by-style attack.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental variables.
Blast Radius
- Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control of the sandboxed process.
- Reads sensitive in-browser data including session cookies, stored credentials, and page content from any open origin (Confidentiality: High).
- Writes or modifies in-browser state, potentially injecting malicious scripts or altering data the user submits (Integrity: High).
- Crashes or hangs the affected Chrome process or tab, disrupting the user's session (Availability: High).
How HarborGuard Handles This
Available on HarborGuard: any image that packages Google Chrome or a Chromium-based runtime below version 149.0.7827.53 is flagged automatically within minutes of CVE publication. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression suite, and opens a PR against affected workloads; for high-severity CVEs like this one, median time from publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments that require manual review before merging, the rebuilt image and full CVSS context are staged and waiting in the HarborGuard dashboard. Until the patched image is deployed, consider applying network policy controls to restrict which workloads can initiate outbound browser sessions, and use feature-flag or policy gating to disable Chrome in non-essential containers.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H