How is CVE-2026-12466 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the victim's browser must be able to reach an attacker-controlled HTML page. Authentication (not-required): No account or credential of any kind is needed; the attacker only needs the victim to visit a URL. Victim interaction (required): The victim must navigate to or be redirected to a crafted HTML page, making social engineering (phishing link, malicious ad, etc.) a prerequisite. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental factors.

What is the impact of CVE-2026-12466?

Reads sensitive data accessible to the Chrome renderer process, including session tokens, cookies, and page content from the active browsing context. Modifies in-memory state within the renderer, enabling injection of malicious content or exfiltration of autofill or stored credential data surfaced to the page. Crashes the affected Chrome tab or renderer process, disrupting the user's session. Serves as a foothold for sandbox-escape chains; if combined with a separate privilege-escalation bug, grants full OS-level code execution on the Windows host.

Back to search

HIGHCVE-2026-12466Published 2026-06-17Modified 2026-06-17CNA Chrome

CVE-2026-12466: Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.155
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap buffer overflow in the WebRTC component of Google Chrome on Windows allows a remote attacker to execute arbitrary code by luring a user to a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though the victim must visit an attacker-controlled page. Successful exploitation gives the attacker full code execution in the context of the Chrome renderer process, enabling data theft, tampering, or further system compromise. A patched-image rebuild at version 149.0.7827.155 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium installation.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy, routing findings to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.155 is available on HarborGuard for any image found to contain an affected version. For customers with auto-remediation enabled, the platform rebuilds the image, runs a regression suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to reach an attacker-controlled HTML page.
AuthenticationNot required
No account or credential of any kind is needed; the attacker only needs the victim to visit a URL.
Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making social engineering (phishing link, malicious ad, etc.) a prerequisite.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental factors.

Blast Radius

Reads sensitive data accessible to the Chrome renderer process, including session tokens, cookies, and page content from the active browsing context.
Modifies in-memory state within the renderer, enabling injection of malicious content or exfiltration of autofill or stored credential data surfaced to the page.
Crashes the affected Chrome tab or renderer process, disrupting the user's session.
Serves as a foothold for sandbox-escape chains; if combined with a separate privilege-escalation bug, grants full OS-level code execution on the Windows host.

How HarborGuard Handles This

Available on HarborGuard: any container image that ships or embeds Google Chrome below version 149.0.7827.155 is flagged as soon as the scan runs against it. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS scoring and remediation guidance attached. Customers who cannot immediately rebuild (for example, due to change-freeze windows) should consider restricting the affected container's network egress and disabling WebRTC via enterprise policy flags as a compensating control until the patched image is promoted.

See how HarborGuard automates this

Fix available

149.0.7827.155

Affected packages

Google / Chrome
< 149.0.7827.155 (from 149.0.7827.155)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available