HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11012Published Modified CNA Chrome

CVE-2026-11012: Use after free in Serial in Google Chrome on Android prior to 149

Use after free in Serial in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Serial component of Google Chrome on Android, affecting versions prior to 149.0.7827.53. The vulnerability is reachable over the network but requires the attacker to have already compromised the renderer process and to trick the user into visiting a crafted HTML page; CVSS v3.1 scores this 8.3 HIGH with changed scope, meaning a successful exploit breaks out of Chrome's sandbox and gains capabilities beyond the browser process itself. Exploitation allows an attacker to read, modify, or disrupt resources outside the renderer sandbox, effectively achieving a full sandbox escape. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome on Android.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-11012 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android-based or Chrome-bundled container images. Any image carrying a Chrome for Android version below 149.0.7827.53 is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 8.3 HIGH and surfaces it accordingly in each customer's triage queue, with per-environment compliance policy weighting applied to prioritize it relative to other open findings. Routing to the appropriate team inbox within each customer organization is available based on configured ownership rules for Android or browser-related image components.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where the affected version is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run the configured regression test suite, and open a pull request against the affected workload automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the targeted device must be reachable by or directed to an attacker-controlled web resource.

  • AuthenticationNot required

    No account or credential is needed; the attacker only needs the victim to load a page, with no authentication barrier on the attacker side.

  • Victim interactionRequired

    The victim must navigate to or be redirected to a crafted HTML page, making social engineering or malicious-ad delivery a prerequisite for exploitation.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the attacker must also have pre-compromised the Chrome renderer process before this use-after-free can be leveraged for a sandbox escape, introducing a significant environmental prerequisite.

Blast Radius

  • A successful attacker escapes the Chrome renderer sandbox, gaining code-execution capabilities in a more privileged process context on the Android device.
  • With sandbox escape achieved, the attacker can read sensitive data stored outside the renderer, including cookies, stored credentials, and local files accessible to the browser process.
  • The attacker can modify data or state outside the sandbox, including writing to storage or injecting into other browser or system processes.
  • The attacker can crash or destabilize system-level components beyond the renderer, potentially disrupting device availability or other running applications.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome for Android below 149.0.7827.53 are matched against CVE-2026-11012 automatically on each ingest cycle. Where compliance policy permits, a rebuilt image at the fixed version (149.0.7827.53) is made available immediately upon detection. For customers who opt into auto-remediation, HarborGuard triggers a full rebuild, executes the configured regression test suite, and opens a pull request against affected workloads; for high-severity findings, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Given the sandbox-escape severity and the requirement for a pre-compromised renderer, teams that cannot immediately rebuild are advised to apply network-policy controls that limit which origins Chrome instances can reach, reducing the attacker's ability to deliver the crafted HTML page that triggers the vulnerability.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References