HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11009Published Modified CNA Chrome

CVE-2026-11009: Use after free in USB in Google Chrome on Windows prior to 149

Use after free in USB in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free in the USB component of Google Chrome on Windows (versions prior to 149.0.7827.53) allows a remote attacker to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though the victim must visit a malicious page. Successful exploitation gives the attacker full read, write, and crash capability outside the browser sandbox, effectively yielding code execution on the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11009 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary. Any image containing a Chrome version below 149.0.7827.53 on Windows base layers is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.6 CRITICAL (CVSS v3.1) and surfaces it at the top of affected-image queues, weighted further by any per-environment compliance policies that treat sandbox-escape or remote-code-execution classes as elevated priority. Triage alerts are routed to the team inbox or ticketing integration configured for each customer org.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available in HarborGuard the moment the fix version is confirmed in the upstream advisory feed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by luring the victim to a crafted HTML page, so the Chrome instance must be reachable in a browsing context exposed to attacker-controlled content.

  • AuthenticationNot required

    No account or credential is needed; any unauthenticated remote attacker can serve the malicious page.

  • Victim interactionRequired

    The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond the victim loading the page.

Blast Radius

  • The attacker escapes the Chrome sandbox and gains code execution in the context of the browser process on the Windows host.
  • With sandbox escape achieved, the attacker reads files, credentials, and session tokens accessible to the logged-in Windows user.
  • The attacker can write or modify files on the host filesystem, including dropping persistent malware or altering application data.
  • The attacker can crash or destabilize the host process, causing denial of service to the affected workload.

How HarborGuard Handles This

Available on HarborGuard: any image containing Chrome below 149.0.7827.53 is flagged as CRITICAL within minutes of the CVE entering the upstream feed, covering both pulled public images and internally built images that bundle a Chrome or Chromium binary. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the fixed version (149.0.7827.53), runs regression tests, and opens a pull request against the affected workload; for critical-severity issues, median time from publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with direct guidance to upgrade Chrome to 149.0.7827.53 and, as a compensating control until the rebuild is deployed, teams can apply network policy to restrict outbound browsing contexts or disable USB-related browser features via enterprise policy flags.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References