How is CVE-2026-12438 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page from a remote location. Authentication (not-required): No credentials or account are needed; the attacker exploits the flaw through a page the victim visits. Victim interaction (required): The victim must visit or be directed to the attacker-controlled HTML page, making social engineering a prerequisite. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must first have compromised the renderer process before leveraging this flaw to escape the sandbox.

What is the impact of CVE-2026-12438?

A successful sandbox escape lets the attacker execute code outside the Chrome renderer sandbox, breaking the primary isolation boundary on the Android device. The attacker reads any data accessible to the browser process, including stored credentials, session tokens, and cached page content. The attacker modifies files, cookies, or stored application data that the browser process can reach on the device. The attacker can crash or disrupt the browser process and any dependent services, causing a denial of service for the affected user.

Back to search

HIGHCVE-2026-12438Published 2026-06-17Modified 2026-06-17CNA Chrome

CVE-2026-12438: Inappropriate implementation in WebView in Google Chrome on Android prior to 149

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.155
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in Google Chrome's WebView component on Android, affecting all versions prior to 149.0.7827.155. An attacker who has already compromised the renderer process can reach this flaw over the network by serving a crafted HTML page to a victim who visits it, without needing any credentials. Successful exploitation breaks out of the renderer sandbox, granting the attacker full confidentiality, integrity, and availability impact on the affected system. A patched-image rebuild at version 149.0.7827.155 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12438 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built Android or Chrome-based container images. Any image layer containing a vulnerable Chrome version below 149.0.7827.155 is flagged automatically.

Available

Triage

Triage is available with a CVSS base score of 8.3 (HIGH, v3.1), and HarborGuard can weight this against each customer's per-environment compliance policy to adjust priority and route findings to the appropriate team inbox within each organization.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.155 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remote location.
AuthenticationNot required
No credentials or account are needed; the attacker exploits the flaw through a page the victim visits.
Victim interactionRequired
The victim must visit or be directed to the attacker-controlled HTML page, making social engineering a prerequisite.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must first have compromised the renderer process before leveraging this flaw to escape the sandbox.

Blast Radius

A successful sandbox escape lets the attacker execute code outside the Chrome renderer sandbox, breaking the primary isolation boundary on the Android device.
The attacker reads any data accessible to the browser process, including stored credentials, session tokens, and cached page content.
The attacker modifies files, cookies, or stored application data that the browser process can reach on the device.
The attacker can crash or disrupt the browser process and any dependent services, causing a denial of service for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection of this sandbox escape is matched against customer images within minutes of ingestion. Where auto-remediation is enabled, HarborGuard initiates a rebuild at Chrome 149.0.7827.155, runs regression tests against the rebuilt image, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and a triage ticket is routed to the designated team inbox. Given the high attack complexity (renderer pre-compromise required) and the need for victim interaction, teams that cannot immediately rebuild should also consider restricting WebView-based features via feature flags and applying network policy controls to limit outbound renderer process communication as a compensating control.

See how HarborGuard automates this

Fix available

149.0.7827.155

Affected packages

Google / Chrome
< 149.0.7827.155 (from 149.0.7827.155)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available