HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11021Published Modified CNA Chrome

CVE-2026-11021: Insufficient validation of untrusted input in GPU in Google Chrome on Windows prior to 149

Insufficient validation of untrusted input in GPU in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the GPU component of Google Chrome on Windows, affecting all versions prior to 149.0.7827.53. It is reachable over the network and requires no authentication, though a victim must visit a crafted HTML page; critically, the attacker must already have compromised the Chrome renderer process before this bug becomes exploitable. Successful exploitation enables a sandbox escape, giving the attacker capabilities beyond the Chrome sandbox including full confidentiality, integrity, and availability impact on the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11021 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the Chrome CNA advisory. This capability covers both third-party base images and custom-built images that bundle Chrome on Windows.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.6 Critical and weighting it against each customer environment's compliance policy to determine urgency and routing. Triage results are routed to the appropriate inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically, with a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers a crafted HTML page over the network, so the target Chrome instance must be reachable in the sense that the user browses to attacker-controlled content.

  • AuthenticationNot required

    No account or credentials are required; any user browsing to a crafted page can be targeted.

  • Victim interactionRequired

    The victim must open a crafted HTML page in Chrome, making this a social-engineering vector that requires the user to navigate to or be redirected to attacker-controlled content.

  • Attack complexityDetail

    The CVSS vector marks complexity as Low, but in practice a precondition exists: the attacker must already control the Chrome renderer process before this bug enables a sandbox escape; once that precondition is met, the exploit itself is reliable and condition-free.

Blast Radius

  • An attacker who achieves the sandbox escape reads files, credentials, and session data accessible to the Windows user running Chrome.
  • The attacker can write to or modify files and registry entries within the scope of that Windows user account.
  • The attacker can terminate or crash the Chrome process and any child processes, disrupting the user's session.
  • With sandbox restrictions removed, the attacker can execute arbitrary code in the context of the Windows user, enabling persistence or lateral movement on the host.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-11021 fires automatically as the CVE enters ingestion feeds, matching against any customer image that bundles Chrome on Windows below version 149.0.7827.53. A patched-image rebuild at 149.0.7827.53 becomes available immediately upon detection. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads; for critical-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced with severity, fix version, and routing context so engineering teams can act manually. All environments continue to be re-evaluated on each ingest cycle to confirm remediation status.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References