How is CVE-2026-12034 exploited?

Network reachability (required): The attacker must reach the target over the network, as the initial attack vector is remote delivery of a malicious file to the victim's browser. Authentication (not-required): No account or credentials are needed; the attacker operates as an unauthenticated remote party. Victim interaction (required): The victim must take an action such as opening or interacting with a malicious file, making social engineering a prerequisite step. Attack complexity (info): Exploitation is high complexity because the attacker must have already compromised the Chrome renderer process before this vulnerability can be used for sandbox escape.

What is the impact of CVE-2026-12034?

Reads arbitrary files and memory outside the Chrome sandbox on the host system, including credentials, session tokens, and user data. Writes or modifies files on the host filesystem with the permissions of the Chrome process user. Crashes the browser process or dependent host services by corrupting process state outside the sandbox. Achieves a full sandbox escape, enabling further lateral movement or persistence on the underlying Linux host.

Back to search

HIGHCVE-2026-12034Published 2026-06-11Modified 2026-06-12CNA Chrome

CVE-2026-12034: Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149

Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.115
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient input validation in the Linux Toolkit Theming component of Google Chrome on Linux allows a remote attacker who has already compromised the renderer process to escape the browser sandbox. The attack requires network reachability, no prior authentication, a user interaction step, and high attack complexity due to the prerequisite renderer compromise. Successful exploitation gives the attacker full read, write, and crash capability outside the sandbox, effectively achieving arbitrary code execution on the host. A patched-image rebuild at version 149.0.7827.115 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12034 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Google Chrome on Linux.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (High) and weighting it against each environment's compliance policy, then routing the finding to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.115 becomes available on HarborGuard for any scanned image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target over the network, as the initial attack vector is remote delivery of a malicious file to the victim's browser.
AuthenticationNot required
No account or credentials are needed; the attacker operates as an unauthenticated remote party.
Victim interactionRequired
The victim must take an action such as opening or interacting with a malicious file, making social engineering a prerequisite step.
Attack complexityDetail
Exploitation is high complexity because the attacker must have already compromised the Chrome renderer process before this vulnerability can be used for sandbox escape.

Blast Radius

Reads arbitrary files and memory outside the Chrome sandbox on the host system, including credentials, session tokens, and user data.
Writes or modifies files on the host filesystem with the permissions of the Chrome process user.
Crashes the browser process or dependent host services by corrupting process state outside the sandbox.
Achieves a full sandbox escape, enabling further lateral movement or persistence on the underlying Linux host.

How HarborGuard Handles This

Available on HarborGuard: any container image scanned by HarborGuard that packages Google Chrome on Linux at a version below 149.0.7827.115 will surface this CVE as a High-severity finding, scored at CVSS 8.3 and weighted against the environment's compliance policy. A rebuild targeting Chrome 149.0.7827.115 is available as soon as the affected image is identified. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, execute a regression run, and open a pull request against affected workloads; for High-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Customers who manage remediation manually will find the finding routed to their configured team inbox with full CVSS detail and fix-version guidance.

See how HarborGuard automates this

Fix available

149.0.7827.115

Affected packages

Google / Chrome
< 149.0.7827.115 (from 149.0.7827.115)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available