CVE-2026-12014: Use after free in Cast in Google Chrome prior to 149
Use after free in Cast in Google Chrome prior to 149.0.7827.115 allowed an attacker on the local network segment to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.3
- Severity
- HIGH
- Fixed in
- 149.0.7827.115
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Cast component of Google Chrome (versions prior to 149.0.7827.115) allows an attacker on the same local network segment to exploit freed memory and escape the browser sandbox via crafted network traffic. The attack requires no authentication and no victim interaction, but the attacker must share the local network (LAN, Wi-Fi, or VPN segment) with the targeted host. Successful exploitation gives the attacker full read, write, and availability impact outside the browser sandbox, effectively achieving code execution in the context of the host process. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection capability for CVE-2026-12014 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or depend on an affected Chrome version. Any image in a connected registry or CI pipeline is eligible for this scan without additional configuration.
AvailableHarborGuard is capable of scoring this finding at CVSS 8.3 (HIGH) and weighting it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate inbox or ticketing integration within the customer org based on policy configuration.
AvailableA patched-image rebuild at Chrome 149.0.7827.115 becomes available through HarborGuard once the upstream fix is confirmed, and customers with auto-remediation enabled receive an automated rebuild, regression-test run, and a pull request opened against affected workloads. For environments where compliance policy permits auto-remediation, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes.
AvailableExploit Conditions
- Network reachabilityDetail
The attacker must be on the same adjacent network segment (LAN, Wi-Fi, or VPN) as the target; remote internet-based exploitation is not possible via this vector.
- AuthenticationNot required
No account or credential is needed; the attacker sends malicious network traffic directly to the vulnerable Cast service.
- Victim interactionNot required
The exploit is delivered entirely through network traffic and does not require the user to click, open, or interact with anything.
- Attack complexityDetail
Exploitation is rated high complexity, meaning it likely depends on race conditions, specific memory layout, or other environmental factors that make reliable exploitation non-trivial.
Blast Radius
- The attacker escapes the Chrome browser sandbox and gains code execution in the context of the host OS process.
- Confidential data accessible to the Chrome process, including stored credentials, session tokens, and browsing history, becomes readable to the attacker.
- The attacker can write or modify files and system state accessible to the compromised process, including persistent storage and configuration.
- The attacker can crash or destabilize the affected process and dependent services, causing a denial of service on the host.
How HarborGuard Handles This
Available on HarborGuard: the platform continuously ingests upstream Chrome advisories and can match CVE-2026-12014 against any image in a customer registry or pipeline that bundles an affected Chrome version, including internally built images. For customers with auto-remediation enabled, HarborGuard can rebuild the image at the patched version (149.0.7827.115), run a regression test suite, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is routed to the configured team inbox with CVSS 8.3 HIGH scoring and policy-weighted urgency so engineers can act manually. Given the adjacent-network attack vector and sandbox-escape severity, customers are also encouraged to consider network-policy controls that restrict access to Cast-related ports on workloads running Chrome, limiting exposure while a patch is applied.
Fix available
- Google / Chrome< 149.0.7827.115 (from 149.0.7827.115)
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H