How is CVE-2026-12439 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable from or browsing to an attacker-controlled origin. Authentication (not-required): No account or credential on the target system is required; the attacker only needs to get the victim to load the malicious page. Victim interaction (required): The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or malicious-link delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race-window timing, or memory-layout prerequisites on the attacker.

What is the impact of CVE-2026-12439?

A successful attacker reads in-browser secrets such as session cookies, saved credentials, and page content from the active renderer process. Heap corruption allows the attacker to modify browser memory, potentially altering the state of the Digital Credentials subsystem and any credentials being processed. Arbitrary code execution within the Chrome renderer process is achievable, enabling the attacker to pivot to further browser or OS-level actions depending on sandbox state. The Chrome process handling the crafted page can be crashed, disrupting the user's active session and any background processing tied to that renderer.

Back to search

HIGHCVE-2026-12439Published 2026-06-17Modified 2026-06-17CNA Chrome

CVE-2026-12439: Use after free in Digital Credentials in Google Chrome prior to 149

Use after free in Digital Credentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.155
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Digital Credentials component of Google Chrome versions prior to 149.0.7827.155. The flaw is reachable over the network but requires the victim to visit a crafted HTML page; no authentication is needed on the attacker's side. Successful exploitation corrupts heap memory, giving an attacker the ability to read sensitive data, alter browser state, or execute arbitrary code within the Chrome process. A patched-image rebuild at version 149.0.7827.155 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-12439 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package a Chromium or Chrome binary. No manual feed configuration is required.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and weights it further against each environment's compliance policy, so teams with stricter browser-component policies see it routed to the appropriate inbox with elevated priority.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.155 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable from or browsing to an attacker-controlled origin.
AuthenticationNot required
No account or credential on the target system is required; the attacker only needs to get the victim to load the malicious page.
Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or malicious-link delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race-window timing, or memory-layout prerequisites on the attacker.

Blast Radius

A successful attacker reads in-browser secrets such as session cookies, saved credentials, and page content from the active renderer process.
Heap corruption allows the attacker to modify browser memory, potentially altering the state of the Digital Credentials subsystem and any credentials being processed.
Arbitrary code execution within the Chrome renderer process is achievable, enabling the attacker to pivot to further browser or OS-level actions depending on sandbox state.
The Chrome process handling the crafted page can be crashed, disrupting the user's active session and any background processing tied to that renderer.

How HarborGuard Handles This

Available on HarborGuard: any image containing a Chrome or Chromium binary below 149.0.7827.155 is flagged immediately upon CVE ingestion, with a rebuilt image at the patched version made available for deployment. For customers who opt into auto-remediation, the typical flow is a rebuild, a regression-test run, and a PR opened against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is routed to the designated approver queue with full CVSS context attached.

See how HarborGuard automates this

Fix available

149.0.7827.155

Affected packages

Google / Chrome
< 149.0.7827.155 (from 149.0.7827.155)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available