CVE-2026-11024: Stack buffer overflow in Skia in Google Chrome prior to 149
Stack buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A stack-based buffer overflow exists in Skia, the graphics rendering library embedded in Google Chrome versions prior to 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, but the victim must visit a crafted HTML page for exploitation to succeed. Successful exploitation gives an attacker full read, write, and crash capability over the affected browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.
AvailableAffected images are scored at CVSS 8.8 (HIGH) using the recorded v3.1 vector, and per-environment compliance policy weighting is applied to route findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server.
- AuthenticationNot required
No account or credential is needed; the attacker needs only to get the victim to load the malicious page.
- Victim interactionRequired
The victim must actively visit the crafted HTML page, making this a social-engineering vector such as a phishing link or malicious ad redirect.
- Attack complexityDetail
Exploit reliability is high and imposes no special environmental conditions; the overflow is triggered predictably by the malformed page content.
Blast Radius
- Reads arbitrary memory within the Chrome renderer process, exposing session tokens, saved credentials, and in-page user data.
- Writes to the call stack, enabling an attacker to redirect execution and run attacker-supplied code inside the renderer sandbox.
- Crashes the affected Chrome renderer process, causing the active tab to die and any unsaved user state to be lost.
- If a sandbox escape is chained, attacker code runs at the privilege level of the Chrome process on the host system.
How HarborGuard Handles This
Available on HarborGuard: any container image found to bundle a Chrome or Chromium binary older than 149.0.7827.53 is flagged immediately after CVE ingestion. For customers who opt into auto-remediation, HarborGuard triggers a rebuild against the patched version, executes the configured regression tests, and opens a PR against the affected workload; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed with full CVSS context and affected-image inventory to the team inbox designated in that environment's policy configuration.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H