CVE-2026-12465: Object lifecycle issue in Metrics in Google Chrome prior to 149
Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.3
- Severity
- HIGH
- Fixed in
- 149.0.7827.155
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An object lifecycle flaw (a use-after-free class of bug) in the Metrics component of Google Chrome prior to version 149.0.7827.155 allows a remote attacker who has already compromised the Chrome renderer process to escape the browser sandbox via a crafted HTML page. The attack requires network reachability, no prior authentication, but does require the victim to interact with attacker-controlled content; the attacker must also satisfy elevated complexity conditions given the renderer pre-compromise requirement. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact outside the sandbox. A patched-image rebuild at 149.0.7827.155 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-12465 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle or ship Chrome.
AvailableHarborGuard scores this CVE at CVSS 8.3 (HIGH) and weights that score against each customer organization's compliance policy to determine urgency and routing, sending findings to the team or inbox configured for the affected workload.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.155 is available in HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network, typically by serving a crafted HTML page from a remote host.
- AuthenticationNot required
No account or credential is required; the attacker interacts with an unauthenticated browser session.
- Victim interactionRequired
The victim must visit or interact with attacker-controlled content, such as opening a malicious HTML page, making this a social-engineering-dependent attack.
- Attack complexityDetail
Exploitation requires the attacker to have already compromised the Chrome renderer process before triggering the sandbox escape, introducing meaningful preconditions beyond a simple one-step exploit.
Blast Radius
- Reads sensitive data from outside the Chrome sandbox, including files and memory accessible to the browser process.
- Modifies data or state outside the sandbox boundary, enabling tampering with the host environment.
- Crashes or destabilizes the affected service or host process, causing a denial of service.
- Achieves full code execution at the browser process privilege level, enabling follow-on system compromise.
How HarborGuard Handles This
Available on HarborGuard: detection of CVE-2026-12465 runs against all customer images automatically as soon as the CVE is published, with no configuration required. Where compliance policy permits and auto-remediation is enabled, HarborGuard rebuilds affected images at Chrome 149.0.7827.155, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who manage patching manually, HarborGuard surfaces the finding with full CVSS context and flags the fixed version so the upgrade path is unambiguous.
Fix available
- Google / Chrome< 149.0.7827.155 (from 149.0.7827.155)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H