How is CVE-2026-11042 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target's browser must be able to reach attacker-controlled content. Authentication (not-required): No account or credential is needed; the attack is launched against any user who visits the malicious page. Victim interaction (required): The attacker must convince the target user to perform specific UI gestures on the crafted page, making this a social-engineering-dependent exploit path. Attack complexity (info): Attack complexity is low, meaning the exploit does not depend on race conditions or specific memory layouts and is reliable once the victim performs the required gestures.

What is the impact of CVE-2026-11042?

Reads process memory contents, which may include session tokens, credentials, or other sensitive data held in the browser's heap. Modifies in-process memory, enabling the attacker to tamper with page state, bypass security checks, or corrupt data structures. Crashes the browser process or renders it unstable, causing denial of service for the affected user session. Heap corruption from a use-after-free at this severity level is a recognized stepping stone to arbitrary code execution within the browser process.

Back to search

HIGHCVE-2026-11042Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11042: Use after free in Views in Google Chrome prior to 149

Use after free in Views in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in the Views component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to corrupt heap memory. The vulnerability is reachable over the network and requires no authentication, but does require the attacker to convince a target user to perform specific UI gestures on a crafted HTML page. Successful exploitation gives the attacker read access to sensitive memory, the ability to tamper with process memory, and the ability to crash or destabilize the browser process, with potential for arbitrary code execution via heap corruption. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. CVE-2026-11042 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium runtime.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are sent to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment whose images include an affected Chrome version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target's browser must be able to reach attacker-controlled content.
AuthenticationNot required
No account or credential is needed; the attack is launched against any user who visits the malicious page.
Victim interactionRequired
The attacker must convince the target user to perform specific UI gestures on the crafted page, making this a social-engineering-dependent exploit path.
Attack complexityDetail
Attack complexity is low, meaning the exploit does not depend on race conditions or specific memory layouts and is reliable once the victim performs the required gestures.

Blast Radius

Reads process memory contents, which may include session tokens, credentials, or other sensitive data held in the browser's heap.
Modifies in-process memory, enabling the attacker to tamper with page state, bypass security checks, or corrupt data structures.
Crashes the browser process or renders it unstable, causing denial of service for the affected user session.
Heap corruption from a use-after-free at this severity level is a recognized stepping stone to arbitrary code execution within the browser process.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11042 is active across all scanning pipelines, matching any image that bundles a Chrome or Chromium binary older than 149.0.7827.53. A patched-image rebuild at the fixed version is available for affected environments. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression test run, and opens a PR against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the rebuilt image is staged and waiting for manual promotion. Customers who cannot immediately update should consider network-policy controls that restrict which origins their containerized Chrome instances can load, reducing the surface for delivering a crafted HTML page.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available