How is CVE-2026-11015 exploited?

Network reachability (required): The attacker delivers the exploit over the network by serving a crafted HTML page to a victim browser, so the Chrome instance must be reachable to normal web traffic. Authentication (not-required): No account, session token, or prior credential is needed; any anonymous network request to the victim browser is sufficient. Victim interaction (required): The victim must navigate to or be redirected to the attacker-controlled HTML page, making social engineering or a malicious ad/link the delivery mechanism. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites beyond the victim loading the page.

What is the impact of CVE-2026-11015?

An attacker reads arbitrary memory from the Chrome renderer process, which may include cached credentials, session cookies, and page content from other open tabs sharing the same process. The out-of-bounds read can trigger an unhandled exception that crashes the affected renderer, terminating the victim's active browser tab or the entire browser process depending on Chrome's process isolation posture. If the browser embeds sensitive application tokens or OAuth bearer tokens in memory at the time of exploitation, those values are directly exposed to the attacker without any further privilege escalation.

Back to search

HIGHCVE-2026-11015Published 2026-06-04Modified 2026-06-08CNA Chrome

CVE-2026-11015: Out of bounds read in WebGPU in Google Chrome prior to 149

Out of bounds read in WebGPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in the WebGPU component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but a victim must visit a crafted HTML page for exploitation to succeed. Successful exploitation allows an attacker to read arbitrary memory regions from the browser process, disclosing sensitive in-memory data and potentially crashing the affected tab or renderer process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment; CVE-2026-11015 is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chromium or Chrome binary.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the CVSS v3.1 vector, and per-environment compliance policy weighting is applied to route alerts to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by serving a crafted HTML page to a victim browser, so the Chrome instance must be reachable to normal web traffic.
AuthenticationNot required
No account, session token, or prior credential is needed; any anonymous network request to the victim browser is sufficient.
Victim interactionRequired
The victim must navigate to or be redirected to the attacker-controlled HTML page, making social engineering or a malicious ad/link the delivery mechanism.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites beyond the victim loading the page.

Blast Radius

An attacker reads arbitrary memory from the Chrome renderer process, which may include cached credentials, session cookies, and page content from other open tabs sharing the same process.
The out-of-bounds read can trigger an unhandled exception that crashes the affected renderer, terminating the victim's active browser tab or the entire browser process depending on Chrome's process isolation posture.
If the browser embeds sensitive application tokens or OAuth bearer tokens in memory at the time of exploitation, those values are directly exposed to the attacker without any further privilege escalation.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome versions below 149.0.7827.53 are flagged automatically as ingest cycles complete, scored at CVSS 8.1 HIGH, and routed according to each environment's compliance policy. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at Chrome 149.0.7827.53, executes a regression run, and opens a PR against affected workloads; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments that manage patching manually, the HarborGuard dashboard surfaces the pinned fix version and the affected image list so teams can prioritize and act without additional triage overhead.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available