HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12027Published Modified CNA Chrome

CVE-2026-12027: Inappropriate implementation in Headless in Google Chrome prior to 149

Inappropriate implementation in Headless in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.115
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in the Headless component of Google Chrome versions prior to 149.0.7827.115. An attacker who has already compromised the Chrome renderer process can exploit an inappropriate implementation flaw by serving the victim a crafted HTML page, delivered over the network with no authentication required but needing the victim to visit a malicious page. Successful exploitation breaks out of the Chrome sandbox, giving the attacker full access to the underlying host process with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12027 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium. Any image found to carry a Chrome version below 149.0.7827.115 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and surfaces it at the top of the findings queue for affected environments. Per-environment compliance policy weighting and ownership metadata route the alert to the team responsible for each affected image, so the right engineers see it without manual triage.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.115 becomes available through HarborGuard the moment the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the victim over the network, either by hosting a malicious page the victim browses to or by injecting content into an existing browsing session.

  • AuthenticationNot required

    No account or credentials are needed; any unauthenticated remote attacker who can direct the victim to a crafted page can attempt the exploit.

  • Victim interactionRequired

    The victim must visit or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by vector that requires at least one user action.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors once the renderer is compromised.

Blast Radius

  • Reads any data accessible to the Chrome process on the host, including stored credentials, session cookies, and files reachable by the browser's OS user.
  • Writes or modifies files and data accessible to that OS user, enabling persistence mechanisms or tampering with local application state.
  • Crashes or destabilizes the host process and any co-located services sharing the same execution environment.
  • Provides a foothold for lateral movement within the container or host, since sandbox containment no longer applies after a successful escape.

How HarborGuard Handles This

Available on HarborGuard: every image in a connected registry or pipeline is checked against the affected Chrome version range (below 149.0.7827.115) within minutes of CVE publication. Because this is a Critical-severity sandbox escape, it surfaces at the top of the findings queue and is routed to the team that owns each affected image based on your org's compliance policy. For customers with auto-remediation enabled, HarborGuard rebuilds the image at 149.0.7827.115, runs the configured regression suite, and opens a pull request against affected workloads automatically; median time from publication to merged patch PR for critical issues is around 90 minutes in those environments. Where auto-remediation is not enabled, the finding is available in the dashboard with full remediation guidance so engineers can act manually. Until patched, consider restricting or disabling Headless Chrome features via feature-flag configuration and applying network policy controls to limit which workloads can serve or render arbitrary HTML through the affected component.

See how HarborGuard automates this

Fix available

149.0.7827.115
Affected packages
  • Google / Chrome
    < 149.0.7827.115 (from 149.0.7827.115)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References