How is CVE-2026-10995 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the victim's browser must be able to reach attacker-controlled web content. Authentication (not-required): No account or credential is needed; the attacker only needs to serve a page the victim visits. Victim interaction (required): The attacker must convince the victim to perform specific UI gestures (such as tab interactions) on the crafted page, making social engineering a prerequisite. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-10995?

Reads arbitrary memory from the Chrome browser process, exposing stored session tokens, saved passwords, and in-memory page content. Writes to heap memory, allowing the attacker to corrupt internal browser state or inject attacker-controlled data into the process. Crashes the affected Chrome process, causing loss of the current browsing session and any unsaved in-tab state. Heap corruption at this severity level is commonly leveraged as a stepping stone toward full renderer or browser process code execution.

Back to search

HIGHCVE-2026-10995Published 2026-06-04Modified 2026-06-08CNA Chrome

CVE-2026-10995: Heap buffer overflow in TabStrip in Google Chrome prior to 149

Heap buffer overflow in TabStrip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Heap buffer overflow in Google Chrome's TabStrip component (versions prior to 149.0.7827.53) allows a remote attacker to corrupt heap memory by tricking a user into performing specific UI interactions on a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though it does require the victim to engage with attacker-controlled content. Successful exploitation gives the attacker full read, write, and crash capabilities over the affected browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10995 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle or depend on Chrome. Coverage extends to both registry scans and inline CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard once affected images are identified. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the victim's browser must be able to reach attacker-controlled web content.
AuthenticationNot required
No account or credential is needed; the attacker only needs to serve a page the victim visits.
Victim interactionRequired
The attacker must convince the victim to perform specific UI gestures (such as tab interactions) on the crafted page, making social engineering a prerequisite.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other unpredictable environmental factors.

Blast Radius

Reads arbitrary memory from the Chrome browser process, exposing stored session tokens, saved passwords, and in-memory page content.
Writes to heap memory, allowing the attacker to corrupt internal browser state or inject attacker-controlled data into the process.
Crashes the affected Chrome process, causing loss of the current browsing session and any unsaved in-tab state.
Heap corruption at this severity level is commonly leveraged as a stepping stone toward full renderer or browser process code execution.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10995 is active across all connected registries and pipelines, matching any image that ships a Chrome binary older than 149.0.7827.53. Because this is scored HIGH (8.8), it is prioritized at the top of the triage queue and routed to the relevant owner within each customer org based on compliance policy. For customers with auto-remediation enabled, HarborGuard can rebuild the affected image at the patched version, run regression tests against the new image, and open a pull request against impacted workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with remediation guidance pointing to the 149.0.7827.53 upgrade and flags the workload as non-compliant until the fix is confirmed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available