How is CVE-2026-11002 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the user must browse to an attacker-controlled origin. Authentication (not-required): No credentials or account are needed; any unauthenticated user visiting the malicious page is a viable target. Victim interaction (required): The victim must open or be redirected to a specially crafted HTML page, making this dependent on a social-engineering or drive-by delivery step. Attack complexity (info): Attack complexity is rated High because the attacker must first achieve a renderer-process compromise before this use-after-free can be leveraged for sandbox escape, introducing a significant prerequisite condition.

What is the impact of CVE-2026-11002?

Reads sensitive data from outside the Chrome sandbox, including stored credentials, cookies, and session tokens held by the browser process. Modifies browser state or files accessible to the browser process, enabling tampering with downloaded content or browser configuration. Crashes or destabilizes the browser process, causing a denial of service for the affected user session. Achieves code execution in the context of the browser process, bypassing the renderer sandbox and gaining a foothold at a higher privilege level on the host.

Back to search

HIGHCVE-2026-11002Published 2026-06-04Modified 2026-06-06CNA Chrome

CVE-2026-11002: Use after free in Autofill in Google Chrome prior to 149

Use after free in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in the Autofill component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though it does require the victim to visit a malicious page and the attacker to have a pre-existing renderer compromise. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact outside the sandbox boundary. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image shipping a Chrome build prior to 149.0.7827.53 will surface as affected in the scan results.

Available

Triage

HarborGuard scores this finding at 8.3 HIGH using the CVSS v3.1 vector and weights it further against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard once the fix version is confirmed in the upstream advisory, which it is here. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the user must browse to an attacker-controlled origin.
AuthenticationNot required
No credentials or account are needed; any unauthenticated user visiting the malicious page is a viable target.
Victim interactionRequired
The victim must open or be redirected to a specially crafted HTML page, making this dependent on a social-engineering or drive-by delivery step.
Attack complexityDetail
Attack complexity is rated High because the attacker must first achieve a renderer-process compromise before this use-after-free can be leveraged for sandbox escape, introducing a significant prerequisite condition.

Blast Radius

Reads sensitive data from outside the Chrome sandbox, including stored credentials, cookies, and session tokens held by the browser process.
Modifies browser state or files accessible to the browser process, enabling tampering with downloaded content or browser configuration.
Crashes or destabilizes the browser process, causing a denial of service for the affected user session.
Achieves code execution in the context of the browser process, bypassing the renderer sandbox and gaining a foothold at a higher privilege level on the host.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE fires within minutes of ingestion for any image containing Chrome prior to 149.0.7827.53, covering registry-stored images and images built inside customer CI pipelines. A patched rebuild at 149.0.7827.53 is available for environments running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy restricts auto-remediation, the finding is routed to the designated team inbox with the fix version and CVSS context attached so engineers can act without additional research overhead.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available