CVE-2026-10973: Uninitialized Use in Dawn in Google Chrome prior to 149
Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 7.4
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An uninitialized-use vulnerability in Dawn, the WebGPU backend in Google Chrome, allows a remote attacker to leak cross-origin data. The attack is reachable over the network, requires no authentication, but does require the victim to visit or interact with a crafted HTML page. Successful exploitation reads data from origins the attacker should not have access to, such as session tokens or page content from other tabs or iframes. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary.
AvailableHarborGuard scores this CVE at 7.4 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer org.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by hosting a crafted HTML page that the victim's browser fetches remotely.
- AuthenticationNot required
No account, session, or credential on the target system is needed to deliver the exploit.
- Victim interactionRequired
The victim must navigate to or otherwise load the attacker-controlled HTML page, making this a social-engineering vector requiring a click, redirect, or embedded resource load.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization, or other environmental factors.
Blast Radius
- The attacker reads data belonging to other web origins, including page content, DOM state, or HTTP responses that the browser's same-origin policy should have blocked.
- Cross-origin session tokens or authentication cookies accessible to the renderer process can be read and exfiltrated.
- Sensitive data rendered in other tabs, iframes, or background service workers within the same browser profile is exposed to the attacker.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-10973 is active against all scanned images the moment the CVE was published. For environments where images bundle Chrome or Chromium below 149.0.7827.53, a rebuilt image at the fix version is ready to deploy. Customers with auto-remediation enabled receive the rebuilt image, a regression-test run, and a PR opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in those environments is around 90 minutes. Where compliance policy requires manual approval, HarborGuard queues the rebuilt image and surfaces the finding with full CVSS context so the responsible team can act immediately.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N