How is CVE-2026-12016 exploited?

Network reachability (required): The attacker must deliver a crafted HTML page to the victim over the network, so the Chrome instance must be reachable or the user must browse to attacker-controlled content. Authentication (not-required): No account or credential is needed; the attack is launched through a crafted page accessible to any unauthenticated visitor. Victim interaction (required): The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Exploitation is rated High complexity because the attacker must first have compromised the renderer process before leveraging this flaw for a sandbox escape, introducing a meaningful prerequisite step.

What is the impact of CVE-2026-12016?

Attacker breaks out of the Chrome sandbox and gains code execution in the context of the browser process on the host. Confidential data accessible to the browser process, including stored credentials, cookies, and local files, becomes readable. The attacker can write or modify files on the host filesystem at the privilege level of the browser process. The host process can be crashed or made unavailable, disrupting the user's session and any services depending on the browser component.

Back to search

HIGHCVE-2026-12016Published 2026-06-11Modified 2026-06-12CNA Chrome

CVE-2026-12016: Inappropriate implementation in DevTools in Google Chrome prior to 149

Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.115
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in Google Chrome's DevTools component affecting versions prior to 149.0.7827.115. The flaw is reachable over the network but requires the attacker to have already compromised the renderer process and to trick a user into visiting a crafted HTML page. Successful exploitation allows an attacker to break out of the Chrome sandbox, gaining the ability to read data, modify files, and execute code at a higher privilege level on the host. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard scores this finding at CVSS 8.3 (High) and can weight it further against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.115 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver a crafted HTML page to the victim over the network, so the Chrome instance must be reachable or the user must browse to attacker-controlled content.
AuthenticationNot required
No account or credential is needed; the attack is launched through a crafted page accessible to any unauthenticated visitor.
Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Exploitation is rated High complexity because the attacker must first have compromised the renderer process before leveraging this flaw for a sandbox escape, introducing a meaningful prerequisite step.

Blast Radius

Attacker breaks out of the Chrome sandbox and gains code execution in the context of the browser process on the host.
Confidential data accessible to the browser process, including stored credentials, cookies, and local files, becomes readable.
The attacker can write or modify files on the host filesystem at the privilege level of the browser process.
The host process can be crashed or made unavailable, disrupting the user's session and any services depending on the browser component.

How HarborGuard Handles This

Available on HarborGuard: any image containing a Chrome or Chromium binary older than 149.0.7827.115 is flagged automatically when the CVE feed is ingested, typically within minutes of publication. A rebuild at the patched version is made available immediately after the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, executes the configured regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is routed to the designated team inbox with full CVSS context and a direct reference to the fix version so engineers can act without additional research.

See how HarborGuard automates this

Fix available

149.0.7827.115

Affected packages

Google / Chrome
< 149.0.7827.115 (from 149.0.7827.115)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available