How is CVE-2026-10974 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the victim's browser fetches and renders the attacker-controlled HTML page. Authentication (not-required): No account or credential is needed; any unauthenticated party who can serve a web page to the victim can attempt exploitation. Victim interaction (required): The victim must navigate to or be directed to a crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-10974?

A successful sandbox escape lets the attacker execute arbitrary code with the privileges of the Chrome renderer process outside the sandbox, bypassing the primary browser security boundary. The attacker reads files, credentials, and session tokens accessible to the user running Chrome on the host. The attacker modifies or deletes files and data accessible to that user, including application state and configuration on the host. The attacker can crash or destabilize the host process or launch further payloads, disrupting service availability for the affected user.

Back to search

CRITICALCVE-2026-10974Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10974: Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient input validation in ANGLE (the graphics abstraction layer inside Google Chrome) allows a remote attacker to escape Chrome's sandbox via a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though the victim must visit a malicious page; it is rated Critical at CVSS 9.6. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact beyond the browser sandbox, effectively allowing arbitrary code execution on the host. A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10974 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary.

Available

Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and is capable of weighting that score against each customer environment's compliance policy to determine urgency and route the finding to the appropriate team inbox inside each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the victim's browser fetches and renders the attacker-controlled HTML page.
AuthenticationNot required
No account or credential is needed; any unauthenticated party who can serve a web page to the victim can attempt exploitation.
Victim interactionRequired
The victim must navigate to or be directed to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

A successful sandbox escape lets the attacker execute arbitrary code with the privileges of the Chrome renderer process outside the sandbox, bypassing the primary browser security boundary.
The attacker reads files, credentials, and session tokens accessible to the user running Chrome on the host.
The attacker modifies or deletes files and data accessible to that user, including application state and configuration on the host.
The attacker can crash or destabilize the host process or launch further payloads, disrupting service availability for the affected user.

How HarborGuard Handles This

Available on HarborGuard: any image containing a Chrome or Chromium binary older than 149.0.7827.53 is flagged within minutes of CVE ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fixed version, runs a regression test, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated inbox with the CVSS 9.6 score and full vector context attached. Given that this is a sandbox escape with a network-delivery path, customers who cannot immediately apply the rebuild are encouraged to enforce network policies that restrict outbound browser access to untrusted origins and to consider disabling the affected Chrome deployment until the patched image is applied.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available