CVE-2026-10975: Use after free in WebRTC in Google Chrome prior to 149
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability affects the WebRTC component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network with no authentication required, but the victim must visit a crafted HTML page for exploitation to succeed. Successful exploitation gives a remote attacker the ability to execute arbitrary code inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-10975 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This coverage extends to custom-built images that bundle a Chrome or Chromium binary below version 149.0.7827.53.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 8.8 (HIGH) and weighting it against each customer environment's compliance policy. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely, so the Chrome instance must be reachable to the open internet or an attacker-controlled network segment.
- AuthenticationNot required
No account credentials or prior authentication are needed; any unauthenticated remote attacker can serve the malicious page.
- Victim interactionRequired
The victim must actively open or be redirected to a crafted HTML page, making this a social-engineering or malicious-link scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- A successful attacker executes arbitrary code inside the Chrome renderer sandbox, gaining control of the sandboxed process.
- Confidential data processed in the browser context, such as page contents, form input, and in-memory session material, is exposed to the attacker.
- The attacker can write or modify data within the sandboxed process, including altering rendered content or injecting further payloads.
- The affected Chrome process can be crashed or made unresponsive, disrupting the user's browsing session.
How HarborGuard Handles This
Available on HarborGuard: detection of this use-after-free vulnerability is matched against all customer images within minutes of CVE publication, including images that bundle Chrome or Chromium directly. Where an affected version is confirmed, a rebuilt image at Chrome 149.0.7827.53 becomes available. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Customers without auto-remediation enabled will see the finding surfaced in their dashboard with the fix version noted, ready for manual action.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H