CVE-2026-10987: Integer overflow in V8 in Google Chrome prior to 149
Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An integer overflow in the V8 JavaScript engine affects Google Chrome versions prior to 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, though a victim must visit a crafted HTML page for exploitation to succeed. Successful exploitation gives an attacker arbitrary code execution inside the Chrome sandbox, enabling data disclosure, content tampering, and potential service disruption. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-10987 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle a Chrome or Chromium binary at an affected version.
AvailableHarborGuard is capable of scoring this CVE at 8.8 HIGH (CVSS v3.1) and weighting that score against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 is available for environments confirmed to carry an affected version. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run regression tests, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the victim over the network, as the crafted HTML page is delivered remotely via a standard browser request.
- AuthenticationNot required
No account or credentials on the target system are needed; any unauthenticated remote attacker can attempt exploitation.
- Victim interactionRequired
A victim must be social-engineered into visiting a crafted HTML page, making user interaction a necessary step for exploitation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special conditions such as race timing or specific memory layout requirements.
Blast Radius
- A successful attacker executes arbitrary code within the Chrome sandbox, gaining control of the renderer process.
- Confidential data visible to the browser process, including page contents, stored credentials, and session tokens, can be read.
- The attacker can modify in-page content and inject malicious scripts, tampering with data the victim sees and submits.
- The compromised renderer process can be crashed or made unresponsive, disrupting browser availability for the victim.
How HarborGuard Handles This
Available on HarborGuard: detection and remediation capabilities for CVE-2026-10987 are ready for any environment that bundles a Chrome or Chromium binary below version 149.0.7827.53. Where compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at the fixed version, run a regression test suite against it, and open a pull request targeting affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the fixed version and affected image inventory surfaced in the HarborGuard dashboard for immediate action.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H