How is CVE-2026-12462 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No credentials or account privileges are needed; the attack is launched against an unauthenticated browser session. Victim interaction (required): The victim must visit or be redirected to a crafted HTML page, requiring a social-engineering or drive-by delivery step. Attack complexity (info): Exploitation is rated high complexity because the attacker must first have compromised the renderer process before leveraging the use-after-free, introducing significant preconditions beyond the attacker's direct control.

What is the impact of CVE-2026-12462?

The attacker executes arbitrary code within the Chrome sandbox, gaining a foothold for further sandbox-escape attempts. Confidential data accessible to the renderer process, such as page content, stored credentials, and session tokens rendered in the browser, can be read. The attacker can modify in-memory state and data being processed by the renderer, including page content and form data before submission. The affected Chrome process can be crashed or destabilized, disrupting the user's browsing session.

Back to search

HIGHCVE-2026-12462Published 2026-06-17Modified 2026-06-17CNA Chrome

CVE-2026-12462: Use after free in Media in Google Chrome prior to 149

Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.155
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Media component of Google Chrome versions prior to 149.0.7827.155. The flaw is reachable over the network but requires the attacker to have already compromised the renderer process and to lure a user into visiting a crafted HTML page; exploitation is conditional on a high-complexity attack chain. Successful exploitation lets the attacker execute arbitrary code inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.155 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12462 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and surfaces findings weighted against each customer environment's compliance policy, routing alerts to the appropriate team inbox within the organization.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.155 becomes available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No credentials or account privileges are needed; the attack is launched against an unauthenticated browser session.
Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, requiring a social-engineering or drive-by delivery step.
Attack complexityDetail
Exploitation is rated high complexity because the attacker must first have compromised the renderer process before leveraging the use-after-free, introducing significant preconditions beyond the attacker's direct control.

Blast Radius

The attacker executes arbitrary code within the Chrome sandbox, gaining a foothold for further sandbox-escape attempts.
Confidential data accessible to the renderer process, such as page content, stored credentials, and session tokens rendered in the browser, can be read.
The attacker can modify in-memory state and data being processed by the renderer, including page content and form data before submission.
The affected Chrome process can be crashed or destabilized, disrupting the user's browsing session.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against any image that ships a Chrome or Chromium binary, including internally built images, within minutes of the advisory entering upstream feeds. For environments where an affected version is identified, a rebuilt image pinned to 149.0.7827.155 is made available. For customers who opt into auto-remediation, HarborGuard runs the full rebuild-and-test flow and opens a patch PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a pre-filled PR are staged and waiting for sign-off. Given the high attack complexity (renderer pre-compromise required), teams that cannot immediately update may reduce exposure by enforcing strict Content Security Policy headers and restricting which container workloads have outbound web access, though upgrading to 149.0.7827.155 remains the only authoritative fix.

See how HarborGuard automates this

Fix available

149.0.7827.155

Affected packages

Google / Chrome
< 149.0.7827.155 (from 149.0.7827.155)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available