HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12029Published Modified CNA Chrome

CVE-2026-12029: Use after free in Video in Google Chrome on Windows prior to 149

Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.115
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Video component of Google Chrome on Windows allows a remote attacker who has already compromised the renderer process to escape Chrome's sandbox via a crafted HTML page. The attack requires the victim to visit a malicious page and operates over the network, though it involves high attack complexity. Successful exploitation gives the attacker full read, write, and availability impact beyond the sandbox boundary, effectively granting arbitrary code execution at the host OS level. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-12029 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome on Windows base layers. Any image in a customer registry or CI pipeline carrying a Chrome version below 149.0.7827.115 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.3 (HIGH) and surfaces it with that severity weighting in each customer environment. Per-environment compliance policy filters and team-routing rules ensure the finding reaches the right inbox, such as a platform security team or the workload owner, without manual triage overhead.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.115 becomes available through HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable in the sense that the user browses to an attacker-controlled URL.

  • AuthenticationNot required

    No credentials or account are needed; any unauthenticated remote attacker can serve the malicious page.

  • Victim interactionRequired

    The victim must open a crafted HTML page in the affected browser, making social engineering or a malicious link a required part of the attack chain.

  • Attack complexityDetail

    Attack complexity is high, meaning the attacker must have already compromised the renderer process before the use-after-free can be leveraged for sandbox escape, introducing a significant prerequisite step.

Blast Radius

  • Attacker reads sensitive data from outside the Chrome sandbox, including files, credentials, and OS-level secrets accessible to the logged-in Windows user.
  • Attacker writes or modifies files and data on the host system beyond what the sandboxed renderer would normally be permitted to touch.
  • Attacker can crash or destabilize host-level processes, disrupting services running on the same machine.
  • Combined high confidentiality, integrity, and availability impact at the host OS scope means full code execution outside the browser sandbox is achievable.

How HarborGuard Handles This

Available on HarborGuard: any container image bundling Google Chrome below 149.0.7827.115 on a Windows base layer is flagged at ingest, scored at CVSS 8.3 HIGH, and routed to the appropriate team under each customer's compliance policy. For customers who opt into auto-remediation, HarborGuard rebuilds the image at Chrome 149.0.7827.115, runs regression tests, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding appears in the HarborGuard dashboard with the fix version clearly indicated so engineers can act manually. Given the sandbox-escape severity and the renderer-compromise prerequisite, teams unable to update immediately should consider isolating affected workloads behind stricter network egress controls and disabling any feature flags that expose the Video component until the patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.115
Affected packages
  • Google / Chrome
    < 149.0.7827.115 (from 149.0.7827.115)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References