How is CVE-2026-11041 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the user must browse to an attacker-controlled URL. Authentication (not-required): No credentials or account privileges are needed; the attack is initiated through a public web page with no login barrier. Victim interaction (required): The user must navigate to or load a crafted HTML page, making this a social-engineering vector that depends on the victim taking an action in their browser. Attack complexity (info): While the CVSS vector rates overall complexity as Low, the exploit description notes the attacker must have already compromised the renderer process, which is a significant pre-condition that raises the practical bar.

What is the impact of CVE-2026-11041?

Attacker escapes Chrome's sandbox and gains code execution in the context of the Windows user running the browser. Files, credentials, and session data accessible to that Windows user account become readable. The attacker can write or modify files on the host filesystem within the user's permission scope. The host process can be crashed or further abused as a foothold for lateral movement on the underlying system.

Back to search

HIGHCVE-2026-11041Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11041: Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 149

Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the Media component of Google Chrome on Windows, affecting versions prior to 149.0.7827.53. It is reachable over the network and requires no authentication, but does require a user to visit a crafted HTML page; however, it also requires the attacker to have already compromised the renderer process as a prerequisite. Successful exploitation enables a sandbox escape, giving the attacker code execution outside Chrome's sandboxed renderer and access to the underlying host system. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-11041 is available across every HarborGuard environment, with the CVE matched against customer images (including custom-built images) within minutes of ingestion from upstream advisory feeds. Any image shipping a Chrome version below 149.0.7827.53 on a Windows base layer is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it against each customer org's compliance policy to prioritize routing. Triage findings are dispatched to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard once the fix version is confirmed for a scanned image. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the user must browse to an attacker-controlled URL.
AuthenticationNot required
No credentials or account privileges are needed; the attack is initiated through a public web page with no login barrier.
Victim interactionRequired
The user must navigate to or load a crafted HTML page, making this a social-engineering vector that depends on the victim taking an action in their browser.
Attack complexityDetail
While the CVSS vector rates overall complexity as Low, the exploit description notes the attacker must have already compromised the renderer process, which is a significant pre-condition that raises the practical bar.

Blast Radius

Attacker escapes Chrome's sandbox and gains code execution in the context of the Windows user running the browser.
Files, credentials, and session data accessible to that Windows user account become readable.
The attacker can write or modify files on the host filesystem within the user's permission scope.
The host process can be crashed or further abused as a foothold for lateral movement on the underlying system.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-11041 is active across all customer environments, matching any image that bundles a Chrome binary below version 149.0.7827.53 on a Windows layer. A patched-image rebuild targeting 149.0.7827.53 is available as soon as an affected image is identified. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the image, executing a regression run, and opening a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated changes, the finding is surfaced in the triage queue with remediation guidance and the confirmed fix version so engineering teams can act immediately.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available