How is CVE-2026-11000 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the user can browse to an attacker-controlled URL. Authentication (not-required): No authentication or account is needed; any anonymous remote attacker can serve the crafted HTML page. Victim interaction (required): The victim must visit a crafted HTML page, making this a social-engineering vector that requires user action such as clicking a link or being redirected. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, memory-layout guessing, or other environmental prerequisites beyond the victim loading the page.

What is the impact of CVE-2026-11000?

The attacker gains arbitrary code execution inside the Chrome renderer sandbox on the affected Linux host. Confidentiality is fully compromised within the sandbox scope, exposing in-memory session tokens, cookies, and page content. Integrity is fully compromised within the sandbox scope, allowing modification of rendered content or in-process data structures. The renderer process can be crashed or forced into an unrecoverable state, disrupting browser availability for the affected user.

Back to search

HIGHCVE-2026-11000Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11000: Use after free in Fonts in Google Chrome on Linux prior to 149

Use after free in Fonts in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in the Fonts subsystem of Google Chrome on Linux (versions prior to 149.0.7827.53) allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a user to a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, but does require the victim to visit a malicious page. Successful exploitation gives the attacker code execution within the Chrome sandbox, which may be chained with a sandbox-escape to fully compromise the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome on Linux.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with this CVE matched against customer images within minutes of publication from upstream feeds, including internally built images that bundle Chrome on Linux base layers. Both registry scans and CI/CD pipeline scans are capable of surfacing affected image layers automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector, and triage routing is available per customer compliance policy, sending findings to the team or inbox configured for high-severity browser-component issues in each organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available in HarborGuard the moment the fixed base image or package is published upstream. For customers with auto-remediation enabled, HarborGuard runs a rebuild, executes regression tests, and opens a PR against affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the user can browse to an attacker-controlled URL.
AuthenticationNot required
No authentication or account is needed; any anonymous remote attacker can serve the crafted HTML page.
Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering vector that requires user action such as clicking a link or being redirected.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, memory-layout guessing, or other environmental prerequisites beyond the victim loading the page.

Blast Radius

The attacker gains arbitrary code execution inside the Chrome renderer sandbox on the affected Linux host.
Confidentiality is fully compromised within the sandbox scope, exposing in-memory session tokens, cookies, and page content.
Integrity is fully compromised within the sandbox scope, allowing modification of rendered content or in-process data structures.
The renderer process can be crashed or forced into an unrecoverable state, disrupting browser availability for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11000 is active across all customer scan environments, covering any image that ships Chrome on Linux at a version below 149.0.7827.53. For customers with auto-remediation enabled, HarborGuard will trigger a rebuild against the fixed version, run regression tests, and open a PR targeting affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the configured team inbox with remediation guidance to update Chrome to 149.0.7827.53 or later. Customers who cannot update immediately should consider restricting which users or workloads run Chrome on Linux containers and applying network policy to limit outbound browsing surface until the patch is applied.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available