How is CVE-2026-10978 exploited?

Network reachability (required): The attacker must reach the target over the network; the vulnerable Chromoting component is exposed to over-the-network traffic. Authentication (not-required): No account credentials or session token are needed; the attacker can initiate the attack without any prior authentication. Victim interaction (required): The victim must interact with attacker-controlled content, such as visiting a malicious page or processing crafted network traffic, making this a social-engineering dependent attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-10978?

Reads arbitrary files and in-memory data accessible to the Chrome process, including stored credentials and session tokens. Writes or overwrites files within the permissions of the compromised process, enabling persistent payload installation. Executes attacker-supplied code in the context of the Chrome renderer or broker process on the victim's Windows host. Crashes or destabilizes the affected Chrome instance, disrupting access to any services the user was interacting with.

Back to search

HIGHCVE-2026-10978Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10978: Use after free in Chromoting in Google Chrome on Windows prior to 149

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Chromoting component of Google Chrome on Windows allows a remote attacker to execute arbitrary code. The attacker must reach the target over the network and trick the victim into interacting with malicious content, but no account credentials are needed. Successful exploitation gives the attacker full control over the affected process, enabling data theft, file tampering, and service disruption. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including internally built images that bundle Chrome on Windows base layers. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights it further against each customer environment's compliance policy, so teams with stricter controls see it prioritized accordingly. Findings are routed to the inbox or ticketing integration configured for the affected workload's owner.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard as soon as the fix version is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against every affected workload.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target over the network; the vulnerable Chromoting component is exposed to over-the-network traffic.
AuthenticationNot required
No account credentials or session token are needed; the attacker can initiate the attack without any prior authentication.
Victim interactionRequired
The victim must interact with attacker-controlled content, such as visiting a malicious page or processing crafted network traffic, making this a social-engineering dependent attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

Blast Radius

Reads arbitrary files and in-memory data accessible to the Chrome process, including stored credentials and session tokens.
Writes or overwrites files within the permissions of the compromised process, enabling persistent payload installation.
Executes attacker-supplied code in the context of the Chrome renderer or broker process on the victim's Windows host.
Crashes or destabilizes the affected Chrome instance, disrupting access to any services the user was interacting with.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10978 is active across all customer environments, matching any image that ships Chrome below 149.0.7827.53. Where a customer's registry or CI pipeline produces Windows-based images bundling Chrome, those images surface in the findings list with the full CVSS 8.8 HIGH score attached. For customers who opt into auto-remediation, HarborGuard rebuilds the image at 149.0.7827.53, executes the configured regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before any image replacement, the finding is held in the approval queue with remediation steps and the target version pre-populated, so the reviewer only needs to confirm before the rebuild proceeds.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available