How is CVE-2026-12454 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the vulnerable service must be reachable from the attacker's origin. Authentication (not-required): No account or credentials are needed; any unauthenticated user visiting the malicious page is a valid target. Victim interaction (required): The victim must navigate to or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Exploitation depends on winning a race condition in the Safe Browsing component, meaning success is probabilistic and may require repeated attempts or careful timing to achieve sandbox escape.

What is the impact of CVE-2026-12454?

A successful sandbox escape lets the attacker read files and data accessible to the browser process outside the sandbox, including session tokens, cookies, and local user files. The attacker gains the ability to write or modify data on the host filesystem at the permission level of the browser process. The attacker can crash or destabilize the host browser process and any dependent services running under the same user account. Because this is a full sandbox escape, the attacker effectively operates as an unprivileged local user on the macOS host, opening the door to further local privilege escalation.

Back to search

HIGHCVE-2026-12454Published 2026-06-17Modified 2026-06-17CNA Chrome

CVE-2026-12454: Race in Safe Browsing in Google Chrome on Mac prior to 149

Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.155
Affected Products: 1

HarborGuard Analysis

Synopsis

A race condition in the Safe Browsing component of Google Chrome on macOS allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network, requires no authentication, but does require the victim to visit a malicious page, and the exploit depends on winning a race condition in timing-sensitive code. Successful exploitation gives the attacker full read, write, and crash capability beyond the browser sandbox, effectively taking control of the host process. A patched-image rebuild at version 149.0.7827.155 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available

Triage

HarborGuard scores this finding at CVSS 8.3 (High) and weights it against each environment's compliance policy before routing the alert to the appropriate team inbox inside each customer org.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.155 becomes available in HarborGuard the moment the upstream fix is indexed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the vulnerable service must be reachable from the attacker's origin.
AuthenticationNot required
No account or credentials are needed; any unauthenticated user visiting the malicious page is a valid target.
Victim interactionRequired
The victim must navigate to or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Exploitation depends on winning a race condition in the Safe Browsing component, meaning success is probabilistic and may require repeated attempts or careful timing to achieve sandbox escape.

Blast Radius

A successful sandbox escape lets the attacker read files and data accessible to the browser process outside the sandbox, including session tokens, cookies, and local user files.
The attacker gains the ability to write or modify data on the host filesystem at the permission level of the browser process.
The attacker can crash or destabilize the host browser process and any dependent services running under the same user account.
Because this is a full sandbox escape, the attacker effectively operates as an unprivileged local user on the macOS host, opening the door to further local privilege escalation.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome on macOS base layers are matched against CVE-2026-12454 within minutes of CVE publication, covering both upstream and internally built images. For environments with auto-remediation enabled, HarborGuard rebuilds the image at Chrome 149.0.7827.155, executes the configured regression test suite, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where compliance policy does not permit auto-remediation, the finding is surfaced in the HarborGuard dashboard with the fix version pinned, so engineering teams can action it manually. Given the sandbox-escape severity and the race-condition exploit path, prioritizing this rebuild ahead of the next scheduled maintenance window is advisable for any image that ships Chrome on macOS.

See how HarborGuard automates this

Fix available

149.0.7827.155

Affected packages

Google / Chrome
< 149.0.7827.155 (from 149.0.7827.155)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available