How is CVE-2026-10986 exploited?

Network reachability (required): The attacker delivers the malicious file over the network, so the targeted service or user must be reachable from an internet or network-adjacent position. Authentication (not-required): No account or credential is needed; the attacker can target any Chrome user without prior authentication. Victim interaction (required): The victim must open or process a malicious file, requiring a social-engineering step such as a phishing link or a drive-by download. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-10986?

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker a foothold in the browser process. Reads in-browser data including session tokens, saved credentials, and page content accessed during the session. Modifies or corrupts browser state and locally accessible data reachable from within the sandbox. Crashes or destabilizes the affected browser process, disrupting service for the victim user.

Back to search

HIGHCVE-2026-10986Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10986: Integer overflow in Media in Google Chrome prior to 149

Integer overflow in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow vulnerability in the Media component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to execute arbitrary code inside the Chrome sandbox by tricking a user into opening a malicious file. The attack is reachable over the network, requires no authentication, but does require the victim to interact with a crafted file. Successful exploitation gives an attacker code execution within the browser sandbox, which may serve as a stepping stone to further compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-10986 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using feeds from upstream sources including the Chrome CNA. This matching covers all images in customer registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary.

Available

Triage

HarborGuard scores this CVE at 8.8 (HIGH) using the published CVSS v3.1 vector and weights findings against each customer organization's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 is available on HarborGuard for any image found to include an affected Chrome or Chromium installation. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious file over the network, so the targeted service or user must be reachable from an internet or network-adjacent position.
AuthenticationNot required
No account or credential is needed; the attacker can target any Chrome user without prior authentication.
Victim interactionRequired
The victim must open or process a malicious file, requiring a social-engineering step such as a phishing link or a drive-by download.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker a foothold in the browser process.
Reads in-browser data including session tokens, saved credentials, and page content accessed during the session.
Modifies or corrupts browser state and locally accessible data reachable from within the sandbox.
Crashes or destabilizes the affected browser process, disrupting service for the victim user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10986 activates as soon as the CVE is ingested, matching any image that bundles a Chrome or Chromium binary below version 149.0.7827.53. Given the HIGH severity rating (CVSS 8.8) and the no-auth, network-reachable attack path, this finding is prioritized accordingly in triage routing. For customers who opt into auto-remediation, HarborGuard makes a rebuilt image at the fixed version available, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is surfaced in the customer dashboard with remediation guidance pointing to the 149.0.7827.53 release. As a compensating control for environments that cannot update immediately, consider network-policy rules that restrict which workloads can serve or fetch arbitrary user-supplied files through Chrome-based rendering pipelines.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available