How is CVE-2026-10964 exploited?

Network reachability (required): The attacker must reach the victim's browser over the network by serving a crafted HTML page from a remote origin. Authentication (not-required): No account or credential is needed; the exploit is triggered by any unauthenticated user visiting the malicious page. Victim interaction (required): The victim must navigate to or be redirected to the attacker-controlled HTML page, requiring a social-engineering step such as a phishing link. Attack complexity (info): Exploitation is reliable and condition-free once the victim loads the page; no race conditions or specific memory layout prerequisites are involved.

What is the impact of CVE-2026-10964?

The attacker executes arbitrary code within the Chrome renderer sandbox, gaining the ability to run attacker-supplied JavaScript or native instructions in that context. Confidential data accessible to the browser process, including stored session tokens, page content, and in-memory form data, is readable by the attacker. The attacker can modify in-browser state, tamper with rendered page content, and issue requests to web services authenticated by the victim's active sessions. The renderer process can be crashed or destabilized, disrupting the victim's browsing session and any active web application workflows.

Back to search

HIGHCVE-2026-10964Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10964: Integer overflow in V8 in Google Chrome prior to 149

Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in V8, the JavaScript engine embedded in Google Chrome, allows a remote attacker to execute arbitrary code inside the Chrome sandbox by convincing a user to visit a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though it does require the victim to open a malicious page. Successful exploitation gives the attacker code execution within the browser's sandbox, which can be a stepping stone to deeper system compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium installation.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 (High) and weights it against each environment's compliance policy to determine priority; findings are then routed to the appropriate team inbox within the customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim's browser over the network by serving a crafted HTML page from a remote origin.
AuthenticationNot required
No account or credential is needed; the exploit is triggered by any unauthenticated user visiting the malicious page.
Victim interactionRequired
The victim must navigate to or be redirected to the attacker-controlled HTML page, requiring a social-engineering step such as a phishing link.
Attack complexityDetail
Exploitation is reliable and condition-free once the victim loads the page; no race conditions or specific memory layout prerequisites are involved.

Blast Radius

The attacker executes arbitrary code within the Chrome renderer sandbox, gaining the ability to run attacker-supplied JavaScript or native instructions in that context.
Confidential data accessible to the browser process, including stored session tokens, page content, and in-memory form data, is readable by the attacker.
The attacker can modify in-browser state, tamper with rendered page content, and issue requests to web services authenticated by the victim's active sessions.
The renderer process can be crashed or destabilized, disrupting the victim's browsing session and any active web application workflows.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome versions prior to 149.0.7827.53 are flagged automatically upon scan, with findings scored at CVSS 8.8 and prioritized accordingly. Where compliance policy permits, a rebuilt image pinned to the fixed version (149.0.7827.53) is prepared and, for customers who opt into auto-remediation, a regression test run is triggered and a pull request is opened against affected workloads. Teams that manage Chrome-bundling images manually will receive the finding in their configured inbox with remediation guidance pointing to the upstream fix version. Given the High severity and the network-reachable, no-auth attack surface, HarborGuard recommends treating this as an urgent rebuild target and reviewing any pipeline or tooling images that ship Chrome for internal developer or testing use.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available