HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10967Published Modified CNA Chrome

CVE-2026-10967: Use after free in SurfaceCapture in Google Chrome on Android prior to 149

Use after free in SurfaceCapture in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free in the SurfaceCapture component of Google Chrome on Android (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the Chrome renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network, requires no authentication, but does require the victim to interact with attacker-controlled content, and the attacker must already hold a foothold in the renderer. Successful exploitation grants full confidentiality, integrity, and availability impact beyond the sandbox boundary. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Android or Chrome-derived container images. Any image embedding a vulnerable Chrome build (below 149.0.7827.53) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.3 (HIGH) and surfaces it accordingly in each customer's compliance policy workflow, adjusting priority weighting based on per-environment rules. Findings are routed to the team inbox configured for the affected workload within each customer organization.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any image identified as running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by serving a crafted HTML page, so the affected device must be reachable or must browse to attacker-controlled content.

  • AuthenticationNot required

    No account or credential is needed; the attacker operates as an anonymous remote party.

  • Victim interactionRequired

    The victim must visit or interact with a crafted HTML page, making this a social-engineering-dependent attack.

  • Attack complexityDetail

    Exploitation is rated AC:H, meaning the attacker must first achieve a renderer-process compromise before this use-after-free can be leveraged for a sandbox escape, introducing a significant environmental dependency.

Blast Radius

  • A successful sandbox escape lets the attacker execute arbitrary code outside the Chrome sandbox with the privileges of the Android application process.
  • Confidentiality impact is high: the attacker reads data accessible to the Chrome process, including stored credentials, session tokens, and browsing history on the device.
  • Integrity impact is high: the attacker writes or modifies files and data within the scope of the Chrome process and potentially broader Android storage permissions.
  • Availability impact is high: the attacker crashes or hangs the browser process and may destabilize dependent system services on the affected Android device.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image containing a Chrome build below 149.0.7827.53, covering both registry scans and in-pipeline image checks. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched version (149.0.7827.53), runs a regression test suite against the new image, and opens a pull request against affected workloads. For high-severity CVEs, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who have not enabled auto-remediation receive a prioritized finding in their dashboard with the fix version identified, so engineering teams can act without needing to track the upstream advisory manually.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References