HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11040Published Modified CNA Chrome

CVE-2026-11040: Use after free in ANGLE in Google Chrome prior to 149

Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in ANGLE, the graphics translation layer used by Google Chrome, affects all Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network, requires no authentication, but does require the attacker to have already compromised the renderer process and to trick a user into visiting a crafted HTML page. Successful exploitation allows a full sandbox escape, giving the attacker code execution outside the browser sandbox with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11040 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. This matching covers both upstream base images and custom-built images that bundle a Chromium or Chrome runtime.

Available
Triage

HarborGuard is capable of scoring this CVE at 8.3 HIGH (CVSS v3.1) and weighting that score against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard once the upstream fix is confirmed ingested. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable and browsing to attacker-controlled content.

  • AuthenticationNot required

    No account or credential is needed; the attack is initiated through a publicly accessible crafted web page.

  • Victim interactionRequired

    The target user must visit the crafted HTML page, requiring a social-engineering step to direct them to attacker-controlled content.

  • Attack complexityDetail

    Attack complexity is high; the attacker must first compromise the renderer process before this use-after-free can be used for sandbox escape, introducing significant prerequisite steps.

Blast Radius

  • An attacker who completes the sandbox escape gains the ability to read files, credentials, and session data accessible to the browser process on the host.
  • The attacker can write or modify files and data on the host, including persisted application state outside the browser sandbox.
  • The attacker can crash or destabilize the browser or dependent host services, causing a denial of service.
  • Because the sandbox boundary is fully bypassed, further lateral movement or privilege escalation on the host system becomes possible.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11040 is active across all connected registries and pipelines, matching any image that bundles a pre-149.0.7827.53 Chrome or Chromium runtime. Given the HIGH severity rating and the concrete sandbox-escape impact, this CVE is surfaced at elevated priority in the triage queue and weighted against each environment's compliance policy. Where compliance policy permits auto-remediation, HarborGuard will trigger a patched-image rebuild at 149.0.7827.53, execute a regression run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the rebuild is staged and available for manual promotion. Because exploitation requires a prior renderer compromise, teams that cannot immediately deploy the patch should consider restricting or disabling the affected Chrome runtime in container workloads and applying network-policy controls to limit outbound browsing exposure until the patched image is promoted.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References