HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11029Published Modified CNA Chrome

CVE-2026-11029: Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149

Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the Drag and Drop component of Google Chrome on Android, affecting versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, though it does require the attacker to have already compromised the renderer process and to trick the victim into interacting with a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker the ability to read sensitive data, tamper with content, and disrupt service outside the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11029 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built Android-based container images carrying the affected Chrome version. This capability applies to images in customer registries and active CI/CD pipelines alike.

Available
Triage

HarborGuard is capable of scoring this CVE at 8.3 HIGH (CVSS v3.1) and weighting that score against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at Chrome version 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target device must be reachable by or must browse to attacker-controlled content.

  • AuthenticationNot required

    No account or credentials are needed; the attack is launched from an unauthenticated remote position against any user who visits the crafted page.

  • Victim interactionRequired

    The victim must interact with a crafted HTML page, such as performing a drag-and-drop action, making this a social-engineering-dependent attack.

  • Attack complexityDetail

    Attack complexity is high because the attacker must have already compromised the renderer process as a precondition before the sandbox escape can be triggered.

Blast Radius

  • A successful sandbox escape lets the attacker read data outside the Chrome sandbox, including stored credentials, session tokens, and files accessible to the browser process on the Android device.
  • The attacker gains the ability to write or modify data outside the sandbox, including application storage or system-accessible files depending on device permissions.
  • The attacker can crash or destabilize processes outside the browser sandbox, causing service disruption beyond the tab or browser instance.
  • Because the scope change is confirmed (S:C in the CVSS vector), impact extends beyond the compromised browser context to other components on the same device.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11029 activates as soon as the advisory is ingested, matching any container image that packages an affected Chrome for Android version against the published fix boundary of 149.0.7827.53. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the patched version, run a regression test pass, and open a pull request against affected workloads; for HIGH severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the finding detail view for engineer review. Customers who need to reduce exposure before a rebuild can be completed should consider network-policy controls that restrict the Android environment's access to untrusted web content, and should treat renderer-process integrity as an additional monitoring signal.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References