HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12009Published Modified CNA Chrome

CVE-2026-12009: Insufficient validation of untrusted input in Accessibility in Google Chrome on Mac prior to 149

Insufficient validation of untrusted input in Accessibility in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.115
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the Accessibility component of Google Chrome on macOS, affecting versions prior to 149.0.7827.115. It is reachable over the network and requires no authentication, though an attacker must already have compromised the Chrome renderer process and must convince a victim to visit a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker capabilities beyond the normally isolated renderer, including potential full confidentiality, integrity, and availability impact on the host. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-12009 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome on macOS base layers. Any image carrying a Chrome version below 149.0.7827.115 is flagged immediately upon scan or on next pipeline run.

Available
Triage

HarborGuard scores this CVE at CVSS 8.3 HIGH (v3.1) and surfaces it with per-environment compliance policy weighting applied, so teams with stricter sandbox-escape policies see it escalated accordingly. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.115 becomes available through HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network by delivering a crafted HTML page, making over-the-network exposure a prerequisite.

  • AuthenticationNot required

    No account or credentials are needed; the attack is launched against an unauthenticated browser session.

  • Victim interactionRequired

    The victim must open a crafted HTML page, requiring the attacker to use phishing, malvertising, or another social-engineering vector to drive the visit.

  • Attack complexityDetail

    Exploitation is rated high complexity because the attacker must already have compromised the renderer process before the sandbox escape can be attempted, introducing a significant prerequisite condition.

Blast Radius

  • A successful sandbox escape lets the attacker read arbitrary files and data outside the Chrome renderer sandbox on the host macOS system.
  • The attacker can write or modify files and system state beyond the sandbox boundary, enabling persistence or tampering with other applications.
  • The attacker can crash or destabilize processes outside the renderer, disrupting the availability of the host system or co-located services.

How HarborGuard Handles This

Available on HarborGuard: any image that bundles Google Chrome on a macOS base layer is scannable for this CVE, and a patched rebuild at version 149.0.7827.115 is available the moment a matching image is identified. For customers who opt into auto-remediation, the full flow (image rebuild, regression run, and PR opened against affected workloads) engages automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation-enabled environments. Where compliance policy does not permit automatic remediation, HarborGuard surfaces the finding with full CVSS context and policy-weighted priority so the owning team can act manually. Given the sandbox-escape nature of this vulnerability and its scope change (S:C in the CVSS vector), treating this as critical in practice is warranted even at the HIGH label, and tightening container admission policies to block images below 149.0.7827.115 is a practical compensating control until a rebuild is confirmed.

See how HarborGuard automates this

Fix available

149.0.7827.115
Affected packages
  • Google / Chrome
    < 149.0.7827.115 (from 149.0.7827.115)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References