CVE-2026-10966: Inappropriate implementation in Codecs in Google Chrome prior to 149
Inappropriate implementation in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An inappropriate implementation flaw in the Codecs component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to perform a sandbox escape by convincing a user to open a crafted video file. The vulnerability is reachable over the network and requires no authentication, though the victim must interact with malicious content. Successful exploitation gives the attacker full read, write, and availability impact on the affected system, breaking out of Chrome's sandboxed process isolation. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome installation.
AvailableHarborGuard scores this issue at CVSS 8.8 (HIGH) and is capable of weighting that score against each environment's compliance policy to prioritize alert routing; findings are surfaced to the inbox or ticketing integration configured by each customer organization.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the malicious video file over the network, so the affected Chrome instance must be reachable or browsing to attacker-controlled content on the internet or an internal network.
- AuthenticationNot required
No account or credential is needed; the attacker only needs to get the victim to load the crafted content.
- Victim interactionRequired
The victim must open or navigate to a page containing the crafted video file, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental preconditions.
Blast Radius
- Attacker escapes Chrome's sandbox and gains code execution in the context of the browser process on the host OS.
- Confidentiality impact is high: the attacker can read files, credentials, and session data accessible to the browser process.
- Integrity impact is high: the attacker can write or modify files and data on the host system.
- Availability impact is high: the attacker can crash or terminate the browser process or other host services.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-10966 is active against all scanned images, with triage scored at CVSS 8.8 HIGH and routed per each environment's compliance policy. A patched-image rebuild at Chrome 149.0.7827.53 is available immediately. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image, execute a regression run, and open a pull request against impacted workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and ready for review in the HarborGuard dashboard.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H