HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10969Published Modified CNA Chrome

CVE-2026-10969: Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the Extensions component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escalate privileges through a crafted HTML page. The attack is reachable over the network but requires the victim to interact with a malicious page, and no authentication is needed. Successful exploitation gives the attacker elevated privileges within the browser, enabling full read, write, and disruption of affected resources. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and active pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and weights it further against each environment's compliance policy, then routes findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected Chrome version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the service must be reachable from a remote origin.

  • AuthenticationNot required

    No account or credentials are needed; any unauthenticated user browsing to the malicious page can trigger the vulnerability.

  • Victim interactionRequired

    The target must visit or be directed to a crafted HTML page, making social engineering or malicious-ad delivery a necessary part of the attack chain.

  • Attack complexityDetail

    Exploitation is rated High complexity because it requires a prior renderer-process compromise as a precondition, introducing significant environmental constraints.

Blast Radius

  • A successful attacker reads sensitive data accessible at elevated browser-privilege level, including stored credentials, session tokens, and page content from cross-origin contexts.
  • The attacker modifies browser state or persisted data at an escalated privilege level, potentially altering extension behavior or injecting code into privileged browser contexts.
  • The attacker can disrupt or crash browser components running at elevated privilege, causing loss of availability for the affected browser session or associated services.
  • Because all three CVSS impact dimensions are rated High, the attacker gains broad control over the compromised browser process and any resources it can reach.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image that bundles Chrome prior to 149.0.7827.53, including internally built images. A rebuild at the fixed version (149.0.7827.53) is made available immediately upon detection. For customers who have opted into auto-remediation, HarborGuard queues a patched rebuild, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, the finding is surfaced in the HarborGuard dashboard with fix-version detail and CVSS context so teams can act manually. Because this exploit requires a pre-compromised renderer process, teams should also consider container-level sandboxing controls and network-egress policies that limit what a compromised Chrome process can reach, as compensating controls while a patched image is prepared.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References