CVE-2026-10991: Use after free in V8 in Google Chrome prior to 149
Use after free in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the V8 JavaScript engine affects Google Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network with no authentication required, but the attacker must convince a user to perform specific UI gestures on a crafted HTML page. Successful exploitation enables arbitrary code execution inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-10991 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This matching covers custom-built images that bundle Chrome or Chromium alongside standard base images.
AvailableHarborGuard is capable of scoring this CVE at 8.8 HIGH (CVSS v3.1) and weighting that score against each environment's compliance policy to produce a prioritized finding. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by serving a crafted HTML page, requiring the target host to be reachable via a browser making outbound network requests.
- AuthenticationNot required
No credentials or account are needed; the attacker only needs the victim to visit a page they control.
- Victim interactionRequired
The attacker must convince the user to perform specific UI gestures on the crafted page, making social engineering a prerequisite for exploitation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.
Blast Radius
- Executes arbitrary code in the context of the Chrome renderer process inside the sandbox, giving the attacker a foothold for sandbox-escape chaining.
- Reads sensitive data accessible to the browser process, including session tokens, cached credentials, and page content from visited sites.
- Modifies browser state or injects content into pages, enabling credential theft or in-browser data tampering.
- Crashes or destabilizes the affected browser process, causing denial of service for the user session.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-10991 activates within minutes of CVE publication and matches against any image in a customer registry or build pipeline that bundles an affected Chrome or Chromium release. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the fixed version (149.0.7827.53), run regression tests, and open a pull request against affected workloads; for high-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS scoring and fix-version detail attached, so reviewers have the context needed to act without additional research.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H