How is CVE-2026-11028 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving or linking to a crafted HTML page hosted remotely. Authentication (not-required): No account credentials or prior authentication to the target system are needed to deliver the malicious page. Victim interaction (required): The victim must visit a crafted HTML page, requiring the attacker to use social engineering or a malicious link to direct them there. Attack complexity (info): Exploit reliability is high and no special environmental conditions are required beyond the prerequisite renderer compromise; however, achieving that renderer compromise is itself a significant precondition.

What is the impact of CVE-2026-11028?

An attacker gains arbitrary code execution inside the Chrome sandbox on the affected Linux or ChromeOS host. With sandbox-level code execution, the attacker can read browser memory, including session tokens, cookies, and page content from open tabs. The attacker can tamper with in-process data, injecting content or manipulating network requests made by the compromised renderer. Abuse of the freed memory region can also crash the affected Chrome process, disrupting the user's session.

Back to search

HIGHCVE-2026-11028Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11028: Use after free in Media in Google Chrome on Linux and ChromeOS prior to 149

Use after free in Media in Google Chrome on Linux and ChromeOS prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability affects the Media component of Google Chrome on Linux and ChromeOS in versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but the attacker must trick a user into visiting a crafted HTML page and must have already compromised the renderer process. Successful exploitation enables arbitrary code execution inside the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Chrome on Linux or ChromeOS base layers. Any image found to include a Chrome version below 149.0.7827.53 is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 (HIGH) and applies each customer org's compliance policy weighting to prioritize routing. Findings are directed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard for affected environments once the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving or linking to a crafted HTML page hosted remotely.
AuthenticationNot required
No account credentials or prior authentication to the target system are needed to deliver the malicious page.
Victim interactionRequired
The victim must visit a crafted HTML page, requiring the attacker to use social engineering or a malicious link to direct them there.
Attack complexityDetail
Exploit reliability is high and no special environmental conditions are required beyond the prerequisite renderer compromise; however, achieving that renderer compromise is itself a significant precondition.

Blast Radius

An attacker gains arbitrary code execution inside the Chrome sandbox on the affected Linux or ChromeOS host.
With sandbox-level code execution, the attacker can read browser memory, including session tokens, cookies, and page content from open tabs.
The attacker can tamper with in-process data, injecting content or manipulating network requests made by the compromised renderer.
Abuse of the freed memory region can also crash the affected Chrome process, disrupting the user's session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11028 is active across all customer environments, matching Chrome versions below 149.0.7827.53 in scanned images. A patched-image rebuild at 149.0.7827.53 is available for affected images. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the fixed version, executes a regression run, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who do not yet have auto-remediation enabled can review the flagged findings in their HarborGuard dashboard and trigger a manual rebuild. Because exploitation requires a pre-compromised renderer process, teams may also consider network policy controls that restrict outbound connections from container workloads bundling Chrome, reducing the attacker's ability to stage a renderer compromise in the first place.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available