CVE-2026-12007: Use after free in Core in Google Chrome on Windows prior to 149
Use after free in Core in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.115
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free vulnerability in Google Chrome's Core component on Windows allows a remote attacker to execute arbitrary code. The attacker reaches the target over the network and requires no authentication, but does need the victim to visit or interact with a crafted HTML page. Successful exploitation gives the attacker full code execution in the context of the browser process, enabling data theft, tampering, and service disruption. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-12007 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary. Any image running a Chrome version below 149.0.7827.115 on Windows is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 8.8 (High) and surfaces it accordingly in each customer's triage queue, weighted against that environment's compliance policy. Routing rules direct the alert to the team or inbox responsible for browser-runtime components within each org.
AvailableA patched-image rebuild at Chrome 149.0.7827.115 is available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim's browser over the network by serving a crafted HTML page from a remote origin.
- AuthenticationNot required
No account or credentials are needed; the attacker only needs the victim to load the malicious page.
- Victim interactionRequired
The victim must visit or be directed to a crafted HTML page, making this a social-engineering or drive-by scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout.
Blast Radius
- The attacker executes arbitrary code in the Chrome browser process, gaining the same privileges as the running browser instance.
- Confidential data accessible to the browser, including stored credentials, session tokens, and locally cached files, can be read and exfiltrated.
- The attacker can write or modify data accessible to the browser process, including cookies, local storage, and downloaded files.
- The browser process can be crashed or hijacked, denying service to the user and enabling a persistent foothold for further exploitation.
How HarborGuard Handles This
Available on HarborGuard: any image containing Google Chrome below 149.0.7827.115 on Windows is matched against CVE-2026-12007 within minutes of the image entering a customer registry or CI pipeline. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version, runs regression tests, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the triage card surfaces the CVSS 8.8 score, the affected version range, and the available fix version so engineers can act immediately. Custom images that vendor or bundle a Chrome binary are covered by the same matching logic, not only images pulling from official upstream sources.
Fix available
- Google / Chrome< 149.0.7827.115 (from 149.0.7827.115)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H