How is CVE-2026-12449 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable component. Authentication (not-required): No account credentials or prior privileges are needed; the attacker can trigger the flaw without authenticating to the system. Victim interaction (required): A local user must open or otherwise interact with a malicious file, making this exploit dependent on a social-engineering step. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors need to be arranged.

What is the impact of CVE-2026-12449?

A successful attacker achieves OS-level privilege escalation, gaining capabilities beyond their initial unprivileged context. Confidentiality impact is high: the attacker reads protected OS resources, credential stores, and other user data accessible at the elevated privilege level. Integrity impact is high: the attacker writes to or modifies protected files, registry keys, and system configurations. Availability impact is high: the attacker disrupts or terminates processes and services on the affected Windows host.

Back to search

HIGHCVE-2026-12449Published 2026-06-17Modified 2026-06-17CNA Chrome

CVE-2026-12449: Use after free in Chromoting in Google Chrome on Windows prior to 149

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 149.0.7827.155
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability affects the Chromoting component of Google Chrome on Windows in versions prior to 149.0.7827.155. The flaw is reached locally and requires a user to interact with a malicious file, but does not require any authentication or existing privileges. Successful exploitation gives the attacker OS-level privilege escalation, granting high-impact read, write, and denial-of-service capabilities on the host. A patched-image rebuild at version 149.0.7827.155 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-12449 is available across every HarborGuard environment, with the CVE ingested from upstream feeds and matched against customer images within minutes of publication, including custom-built images that bundle Google Chrome on Windows base layers. Any image whose installed Chrome version falls below 149.0.7827.155 is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.8 (HIGH), weighted further against each environment's compliance policy to prioritize routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.155 becomes available in HarborGuard the moment the fix version is confirmed in upstream advisory feeds. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable component.
AuthenticationNot required
No account credentials or prior privileges are needed; the attacker can trigger the flaw without authenticating to the system.
Victim interactionRequired
A local user must open or otherwise interact with a malicious file, making this exploit dependent on a social-engineering step.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors need to be arranged.

Blast Radius

A successful attacker achieves OS-level privilege escalation, gaining capabilities beyond their initial unprivileged context.
Confidentiality impact is high: the attacker reads protected OS resources, credential stores, and other user data accessible at the elevated privilege level.
Integrity impact is high: the attacker writes to or modifies protected files, registry keys, and system configurations.
Availability impact is high: the attacker disrupts or terminates processes and services on the affected Windows host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12449 is active across all connected registries and CI pipelines, matching any image that ships Google Chrome below version 149.0.7827.155. Where compliance policy permits auto-remediation, HarborGuard will rebuild the affected image at Chrome 149.0.7827.155, execute a regression test run against the rebuilt image, and open a pull request against the affected workload; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is queued in the triage inbox with its CVSS 7.8 HIGH score and ownership routing so the responsible team can act manually. Because this vulnerability requires local access and victim file interaction, compensating controls such as restricting execution of untrusted files via endpoint policy and limiting Chrome deployment to managed base images can reduce exposure while a patch is being applied.

See how HarborGuard automates this

Fix available

149.0.7827.155

Affected packages

Google / Chrome
< 149.0.7827.155 (from 149.0.7827.155)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available