How is CVE-2026-12022 exploited?

Network reachability (required): The attacker must deliver a malicious file to the victim over the network, requiring the target Chrome instance to be reachable or the user to visit attacker-controlled content. Authentication (not-required): No account credentials or login session are needed; the attack is launchable by any unauthenticated remote party. Victim interaction (required): The victim must interact with attacker-controlled content (for example, visiting a malicious page or opening a malicious file) to trigger the race condition. Attack complexity (info): Exploitation is rated high complexity because the attacker must first achieve a renderer process compromise before the race condition can be used for sandbox escape, introducing significant environmental prerequisites.

What is the impact of CVE-2026-12022?

An attacker escaping the sandbox gains the ability to read arbitrary files and data accessible to the Chrome process on the host macOS system. Write access outside the sandbox allows the attacker to modify files, plant persistent payloads, or alter application data on the host. The availability impact is high, meaning the attacker can crash or disrupt the affected Chrome instance and potentially other host processes. Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser sandbox to other components on the same host.

Back to search

HIGHCVE-2026-12022Published 2026-06-11Modified 2026-06-12CNA Chrome

CVE-2026-12022: Race in Safe Browsing in Google Chrome on Mac prior to 149

Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.115
Affected Products: 1

HarborGuard Analysis

Synopsis

A race condition in the Safe Browsing component of Google Chrome on macOS (versions prior to 149.0.7827.115) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a malicious file. The vulnerability is reachable over the network but requires the victim to interact with attacker-controlled content, and the CVSS vector reflects high complexity due to the prerequisite renderer compromise. Successful exploitation gives the attacker full read, write, and availability impact outside the sandbox, effectively granting host-level code execution. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-12022 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle or layer Chrome on macOS base layers, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (HIGH) and weighting that score against each environment's compliance policy to determine urgency and route findings to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.115 becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver a malicious file to the victim over the network, requiring the target Chrome instance to be reachable or the user to visit attacker-controlled content.
AuthenticationNot required
No account credentials or login session are needed; the attack is launchable by any unauthenticated remote party.
Victim interactionRequired
The victim must interact with attacker-controlled content (for example, visiting a malicious page or opening a malicious file) to trigger the race condition.
Attack complexityDetail
Exploitation is rated high complexity because the attacker must first achieve a renderer process compromise before the race condition can be used for sandbox escape, introducing significant environmental prerequisites.

Blast Radius

An attacker escaping the sandbox gains the ability to read arbitrary files and data accessible to the Chrome process on the host macOS system.
Write access outside the sandbox allows the attacker to modify files, plant persistent payloads, or alter application data on the host.
The availability impact is high, meaning the attacker can crash or disrupt the affected Chrome instance and potentially other host processes.
Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser sandbox to other components on the same host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12022 is active across all connected registries and pipelines, with matching against any image that includes Chrome on a macOS-based layer. Where compliance policy permits, HarborGuard can initiate a patched-image rebuild at Chrome 149.0.7827.115, run regression checks against the rebuilt image, and open a PR targeting affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes. For customers whose compliance policy does not permit automated patching, HarborGuard surfaces the finding with CVSS 8.3 scoring and provides fix-version details so engineering teams can prioritize the upgrade manually. Given the sandbox-escape nature of this vulnerability and the changed-scope impact, prompt remediation is warranted for any environment running an affected Chrome version on macOS container images.

See how HarborGuard automates this

Fix available

149.0.7827.115

Affected packages

Google / Chrome
< 149.0.7827.115 (from 149.0.7827.115)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available