How is CVE-2026-10965 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable in a browsing context exposed to external or attacker-controlled content. Authentication (not-required): No account or credentials are needed; any unauthenticated remote party can serve the malicious page. Victim interaction (required): The victim must visit or be redirected to a crafted HTML page, making a social-engineering or malicious-ad delivery vector necessary. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race-window timing, or memory-layout knowledge.

What is the impact of CVE-2026-10965?

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker a foothold to read in-browser session tokens, saved passwords, and page content. Modifies in-page content and DOM state, enabling credential harvesting or silent form-data interception. Disrupts the affected browser session and can crash the renderer process, causing loss of unsaved user work. Serves as a starting point for sandbox-escape chaining if a second vulnerability is available, potentially reaching the underlying host OS.

Back to search

HIGHCVE-2026-10965Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10965: Integer overflow in DevTools in Google Chrome prior to 149

Integer overflow in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow vulnerability in the DevTools component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a user to a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, only a single user interaction (visiting a malicious page). Successful exploitation grants the attacker code execution within the Chrome sandbox, enabling data theft, content tampering, and potential sandbox-escape chaining. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-10965 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium runtime.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 (High) and applies per-environment compliance policy weighting to prioritize routing, directing alerts to the appropriate team inbox within each customer organization based on configured severity thresholds and asset criticality.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected Chrome or Chromium version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable in a browsing context exposed to external or attacker-controlled content.
AuthenticationNot required
No account or credentials are needed; any unauthenticated remote party can serve the malicious page.
Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, making a social-engineering or malicious-ad delivery vector necessary.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race-window timing, or memory-layout knowledge.

Blast Radius

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker a foothold to read in-browser session tokens, saved passwords, and page content.
Modifies in-page content and DOM state, enabling credential harvesting or silent form-data interception.
Disrupts the affected browser session and can crash the renderer process, causing loss of unsaved user work.
Serves as a starting point for sandbox-escape chaining if a second vulnerability is available, potentially reaching the underlying host OS.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10965 activates within minutes of CVE publication for any customer image that bundles Chrome or Chromium prior to 149.0.7827.53. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, runs a regression test run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and a review-request notification is routed to the configured owner. Customers who cannot immediately update are advised to enforce network policies that restrict which origins Chrome instances can load, apply Content Security Policy controls on internally hosted pages, and consider disabling DevTools access in managed deployments as a compensating control while the rebuild is reviewed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available