HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10989Published Modified CNA Chrome

CVE-2026-10989: Inappropriate implementation in V8 in Google Chrome prior to 149

Inappropriate implementation in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap corruption via inappropriate implementation in Google Chrome's V8 JavaScript engine affects all Chrome versions before 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, but a victim must be convinced to perform specific UI gestures on a crafted HTML page. Successful exploitation gives an attacker full read, write, and execution capability within the affected browser process, enabling data theft, content manipulation, or remote code execution. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10989 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle a Chromium or Chrome installation. Any image in a customer registry or CI pipeline carrying a Chrome version below 149.0.7827.53 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are delivered to the inbox or ticketing integration configured for the relevant team within each customer organization.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard once the fix version is confirmed in the upstream advisory. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's browser must be able to reach an attacker-controlled or compromised web origin.

  • AuthenticationNot required

    No account or credentials are needed; any user who visits the malicious page is a valid target.

  • Victim interactionRequired

    The attacker must convince the victim to perform specific UI gestures on the crafted page, requiring a degree of social engineering to complete the exploit.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization, or other variable environmental factors.

Blast Radius

  • Reads in-process memory, including stored session cookies, saved credentials, and page content from other origins accessible to the browser process.
  • Writes arbitrary data into heap memory, allowing the attacker to overwrite internal V8 structures and escalate toward controlled code execution.
  • Executes attacker-supplied code within the Chrome renderer process, enabling further exploitation of the host if sandbox escapes are chained.
  • Crashes or destabilizes the affected browser process if exploitation is only partially successful, causing denial of service for the user.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of advisory ingestion for any image in a customer registry or pipeline that includes a Chrome build below 149.0.7827.53. Where compliance policy permits, a rebuilt image at the patched version is prepared automatically. For customers who opt into auto-remediation, HarborGuard runs a full rebuild, executes regression tests against the new image, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity findings. Customers who manage remediation manually can act directly on the flagged finding, which includes the fix version, CVSS detail, and a link to the upstream Chromium advisory. Until patched images are deployed, network-policy controls that restrict end-user workloads from reaching untrusted web origins, and browser-policy settings that limit navigation to known-good domains, serve as compensating controls to reduce exposure.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References