How is CVE-2026-10982 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely. Authentication (not-required): No login credentials or account are needed; the attacker requires no prior authentication to the targeted service or host. Victim interaction (required): The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or malicious-link scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-10982?

Attacker executes arbitrary code within the Chrome renderer sandbox, gaining control of the sandboxed process. Confidential data accessible to the renderer, including page content and in-memory session material, is readable by the attacker. The attacker can modify in-renderer state and inject content into the browsing context, affecting data integrity within the session. The sandboxed Chrome process can be crashed or destabilized, disrupting the user's browser session.

Back to search

HIGHCVE-2026-10982Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10982: Use after free in WebXR in Google Chrome prior to 149

Use after free in WebXR in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the WebXR component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the browser sandbox. The flaw is reachable over the network without any login credentials, but requires the target user to visit a crafted HTML page. Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, enabling further attacks depending on sandbox escape capability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-10982 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that bundle a Chrome binary, not only upstream base images.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.8 (HIGH) and can weight that score against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on configured policy rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment whose scanned images include an affected Chrome version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely.
AuthenticationNot required
No login credentials or account are needed; the attacker requires no prior authentication to the targeted service or host.
Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or malicious-link scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Attacker executes arbitrary code within the Chrome renderer sandbox, gaining control of the sandboxed process.
Confidential data accessible to the renderer, including page content and in-memory session material, is readable by the attacker.
The attacker can modify in-renderer state and inject content into the browsing context, affecting data integrity within the session.
The sandboxed Chrome process can be crashed or destabilized, disrupting the user's browser session.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome prior to 149.0.7827.53 are flagged automatically when the CVE is matched against a customer's registry or pipeline, typically within minutes of publication. A patched-image rebuild at version 149.0.7827.53 is available for affected images. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests against the resulting image, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the finding is routed to the configured team inbox with the CVSS 8.8 HIGH score and policy weighting attached for prioritization. Customers who build custom images on top of a Chrome base should ensure those images are included in their HarborGuard scan scope so the match fires correctly.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available