How is CVE-2026-11043 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the targeted service or user must be reachable from an internet or network-adjacent origin. Authentication (not-required): No account credentials or prior authentication are needed to serve the malicious page to a victim. Victim interaction (required): A victim must navigate to or otherwise load the attacker-controlled HTML page, requiring a social-engineering step such as a phishing link or malicious ad. Attack complexity (info): The exploit itself is condition-free and reliable once the renderer process is compromised, though gaining that renderer compromise is itself a prerequisite step that adds practical complexity.

What is the impact of CVE-2026-11043?

Attacker escapes the Chrome sandbox on macOS, gaining code execution at the level of the browser process outside the sandbox boundary. With sandbox escape achieved, the attacker reads files, stored credentials, and session tokens accessible to the user running Chrome. The attacker writes or modifies files on the host filesystem, including persisted application data and configuration files. The attacker crashes or otherwise disrupts the browser process and any dependent services running under the same user account.

Back to search

CRITICALCVE-2026-11043Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11043: Out of bounds write in ANGLE in Google Chrome on Mac prior to 149

Out of bounds write in ANGLE in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds write vulnerability in ANGLE (the graphics abstraction layer) within Google Chrome on macOS, affecting all versions prior to 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, but does require a victim to interact with a crafted HTML page; it also requires the attacker to have already compromised the Chrome renderer process. Successful exploitation allows a full sandbox escape, giving the attacker code execution outside the browser sandbox with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11043 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or layer Chrome on macOS base images. Any image in a customer registry or CI/CD pipeline carrying a vulnerable Chrome version is flagged automatically.

Available

Triage

Triage is available with the CVSS v3.1 score of 9.6 (Critical) surfaced alongside per-environment compliance policy weighting, so teams running stricter browser-security policies see this issue elevated accordingly. Routing to the appropriate team inbox within each customer organization is handled based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available in HarborGuard as soon as the fix version is confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the targeted service or user must be reachable from an internet or network-adjacent origin.
AuthenticationNot required
No account credentials or prior authentication are needed to serve the malicious page to a victim.
Victim interactionRequired
A victim must navigate to or otherwise load the attacker-controlled HTML page, requiring a social-engineering step such as a phishing link or malicious ad.
Attack complexityDetail
The exploit itself is condition-free and reliable once the renderer process is compromised, though gaining that renderer compromise is itself a prerequisite step that adds practical complexity.

Blast Radius

Attacker escapes the Chrome sandbox on macOS, gaining code execution at the level of the browser process outside the sandbox boundary.
With sandbox escape achieved, the attacker reads files, stored credentials, and session tokens accessible to the user running Chrome.
The attacker writes or modifies files on the host filesystem, including persisted application data and configuration files.
The attacker crashes or otherwise disrupts the browser process and any dependent services running under the same user account.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11043 is active for any image in a customer registry or pipeline that includes a Chrome build older than 149.0.7827.53 on a macOS base layer. A patched-image rebuild at 149.0.7827.53 is available for affected images. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes the configured regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits, the full rebuild-and-PR flow runs without manual intervention. Customers who manage patching manually will see the vulnerability flagged in their HarborGuard dashboard with fix-version guidance and image-level remediation instructions.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available