How is CVE-2026-11037 exploited?

Network reachability (required): The attacker delivers the crafted video file over the network, so the Chrome instance must be reachable or the user must browse to attacker-controlled content. Authentication (not-required): No account or credentials are needed; any unauthenticated remote party can serve the malicious payload. Victim interaction (required): The victim must open or render a crafted video file, meaning the attacker must socially engineer the user into visiting a malicious page or opening a supplied file. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-11037?

The attacker escapes the Chrome browser sandbox and gains code execution in the context of the host process. Confidential data accessible to the browser process, including stored credentials, session tokens, and cached content, becomes readable by the attacker. The attacker can write or modify files and data accessible to the host process, including user profile data and local application state. The attacker can crash or destabilize the affected browser process or dependent system services, causing a denial of service.

Back to search

CRITICALCVE-2026-11037Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11037: Out of bounds write in Codecs in Google Chrome prior to 149

Out of bounds write in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability in the Codecs component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to trigger a sandbox escape by convincing a user to open a crafted video file. The attack is reachable over the network, requires no authentication, but does require the victim to interact with malicious content. Successful exploitation gives the attacker full read, write, and availability impact outside the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11037 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This capability covers both base images pulled from public registries and custom-built images that bundle a Chromium or Chrome runtime.

Available

Triage

HarborGuard scores this CVE at 9.6 CRITICAL (CVSS v3.1) and is capable of applying per-environment compliance policy weighting before routing findings to the appropriate team inbox within each customer organization. Triage context includes the affected version range and the confirmed fix version, so responders can immediately assess exposure.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard the moment the fix version is ingested. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted video file over the network, so the Chrome instance must be reachable or the user must browse to attacker-controlled content.
AuthenticationNot required
No account or credentials are needed; any unauthenticated remote party can serve the malicious payload.
Victim interactionRequired
The victim must open or render a crafted video file, meaning the attacker must socially engineer the user into visiting a malicious page or opening a supplied file.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

The attacker escapes the Chrome browser sandbox and gains code execution in the context of the host process.
Confidential data accessible to the browser process, including stored credentials, session tokens, and cached content, becomes readable by the attacker.
The attacker can write or modify files and data accessible to the host process, including user profile data and local application state.
The attacker can crash or destabilize the affected browser process or dependent system services, causing a denial of service.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome prior to 149.0.7827.53 are flagged as soon as the CVE is ingested from upstream feeds, including any custom-built images that ship a Chromium runtime. Where compliance policy permits, HarborGuard can rebuild the image at the patched version (149.0.7827.53), run a regression suite against it, and open a pull request against affected workloads automatically; for environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for critical-severity issues is around 90 minutes. For environments where auto-remediation is not enabled, the finding is routed to the appropriate team inbox with full CVSS context and a direct reference to the fix version so responders can act manually.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available