How is CVE-2026-12019 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving or directing the target to a crafted HTML page hosted remotely. Authentication (not-required): No account or credential is required to deliver the malicious page to the victim. Victim interaction (required): The victim must open or navigate to a crafted HTML page, requiring a social-engineering step to direct user action. Attack complexity (info): Exploit reliability is reduced because the attacker must have already compromised the Chrome renderer process before leveraging this overflow for a sandbox escape, introducing a significant prerequisite condition.

What is the impact of CVE-2026-12019?

An attacker who succeeds reads data accessible outside the Chrome sandbox, including files and credentials on the host system. The attacker can modify files, configuration, or persistent data on the underlying Linux or ChromeOS host beyond the browser process. The attacker can crash or disrupt processes outside the browser sandbox, affecting host-level service availability. Sandbox escape enables arbitrary code execution at the privilege level of the Chrome process user on the host.

Back to search

HIGHCVE-2026-12019Published 2026-06-11Modified 2026-06-12CNA Chrome

CVE-2026-12019: Heap buffer overflow in Codecs in Google Chrome on Linux and ChromeOS prior to 149

Heap buffer overflow in Codecs in Google Chrome on Linux and ChromeOS prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.115
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap buffer overflow exists in the Codecs component of Google Chrome on Linux and ChromeOS prior to version 149.0.7827.115. The vulnerability is reachable over the network but requires the attacker to have already compromised the Chrome renderer process and to trick a user into visiting a crafted HTML page; exploit reliability is reduced by high attack complexity conditions. Successful exploitation allows the attacker to escape the Chrome sandbox, gaining the ability to read, modify, or destroy data and processes outside the browser's sandboxed environment. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-12019 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed publication. Coverage extends to custom-built images that bundle Chrome on Linux or ChromeOS base layers.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (HIGH) and applying per-environment compliance policy weighting to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.115 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite, and opens a PR against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving or directing the target to a crafted HTML page hosted remotely.
AuthenticationNot required
No account or credential is required to deliver the malicious page to the victim.
Victim interactionRequired
The victim must open or navigate to a crafted HTML page, requiring a social-engineering step to direct user action.
Attack complexityDetail
Exploit reliability is reduced because the attacker must have already compromised the Chrome renderer process before leveraging this overflow for a sandbox escape, introducing a significant prerequisite condition.

Blast Radius

An attacker who succeeds reads data accessible outside the Chrome sandbox, including files and credentials on the host system.
The attacker can modify files, configuration, or persistent data on the underlying Linux or ChromeOS host beyond the browser process.
The attacker can crash or disrupt processes outside the browser sandbox, affecting host-level service availability.
Sandbox escape enables arbitrary code execution at the privilege level of the Chrome process user on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12019 is active across customer environments for any image bundling Chrome on Linux or ChromeOS base layers, matched within minutes of CVE publication. A patched-image rebuild at version 149.0.7827.115 is available for affected environments. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a PR against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers not yet on auto-remediation can use the HarborGuard findings dashboard to identify affected images and initiate a manual rebuild at the fix version.

See how HarborGuard automates this

Fix available

149.0.7827.115

Affected packages

Google / Chrome
< 149.0.7827.115 (from 149.0.7827.115)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available