How is CVE-2026-12442 exploited?

Network reachability (required): The attacker must reach the victim over the network by inducing them to load a crafted page served from an attacker-controlled or compromised host. Authentication (not-required): No account or credentials on the target system are needed; the attack is launched purely through a malicious HTML page delivered to the browser. Victim interaction (required): The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by scenario that depends on user action. Attack complexity (info): The exploit is reliable and condition-free once the victim loads the page, with no race conditions or specific memory-layout requirements to satisfy.

What is the impact of CVE-2026-12442?

The attacker gains arbitrary code execution in the context of the Chrome process on the victim's Android device. All data accessible to the browser, including saved passwords, session cookies, and locally cached content, is exposed for reading. The attacker can write or modify browser-managed storage, including saved credentials and browsing data. The affected Chrome process can be crashed or the broader device destabilized, disrupting access to the browser and any services it is authenticating against.

Back to search

HIGHCVE-2026-12442Published 2026-06-17Modified 2026-06-17CNA Chrome

CVE-2026-12442: Use after free in Passwords in Google Chrome on Android prior to 149

Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.155
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Passwords component of Google Chrome on Android affects all versions prior to 149.0.7827.155. The flaw is reachable over the network without any authentication, though it requires the victim to visit a specially crafted HTML page. Successful exploitation gives a remote attacker full arbitrary code execution on the affected device. A patched-image rebuild at version 149.0.7827.155 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-12442 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built ones incorporating Chrome on Android, within minutes of publication from upstream feeds. Any image in a customer registry or CI pipeline carrying an affected Chrome version below 149.0.7827.155 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (High) and weighting that score against each customer environment's compliance policy to determine priority. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.155 becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by inducing them to load a crafted page served from an attacker-controlled or compromised host.
AuthenticationNot required
No account or credentials on the target system are needed; the attack is launched purely through a malicious HTML page delivered to the browser.
Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by scenario that depends on user action.
Attack complexityDetail
The exploit is reliable and condition-free once the victim loads the page, with no race conditions or specific memory-layout requirements to satisfy.

Blast Radius

The attacker gains arbitrary code execution in the context of the Chrome process on the victim's Android device.
All data accessible to the browser, including saved passwords, session cookies, and locally cached content, is exposed for reading.
The attacker can write or modify browser-managed storage, including saved credentials and browsing data.
The affected Chrome process can be crashed or the broader device destabilized, disrupting access to the browser and any services it is authenticating against.

How HarborGuard Handles This

Available on HarborGuard: detection of any image carrying a Chrome for Android build below 149.0.7827.155 is active across customer registries and pipelines, matched within minutes of CVE publication. Where compliance policy permits, a rebuilt image at the patched version is made available and, for customers with auto-remediation enabled, HarborGuard can open a pull request against affected workloads after completing a regression run. For high-severity CVEs like this one, the median time from publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Given the critical upstream rating and the no-authentication, over-the-network attack surface, customers who cannot immediately rebuild are advised to enforce network policies that restrict outbound browsing from affected container workloads and to consider feature-flag or MDM-level controls that limit Chrome on Android exposure until the patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.155

Affected packages

Google / Chrome
< 149.0.7827.155 (from 149.0.7827.155)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available