CVE-2026-11049: Use after free in Password Manager in Google Chrome prior to 149
Use after free in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Password Manager component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to execute arbitrary code inside the Chrome sandbox. The attack is reachable over the network and requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation grants the attacker arbitrary code execution within the browser sandbox, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection for CVE-2026-11049 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle Google Chrome. Coverage applies to both registry scans and inline CI/CD pipeline checks.
AvailableHarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage results are routable to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Chrome version 149.0.7827.53 is available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run regression tests, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin.
- AuthenticationNot required
No credentials or account access are needed; the attacker requires only that the victim load a malicious page.
- Victim interactionRequired
The victim must actively visit or be redirected to a crafted HTML page, making social engineering or a malicious link a prerequisite.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental factors.
Blast Radius
- The attacker gains arbitrary code execution inside the Chrome renderer sandbox, enabling full control over the sandboxed process.
- Stored credentials and session data accessible to the Password Manager component are exposed to the attacker.
- The attacker can read, modify, or corrupt browser state and any data processed within the sandboxed context.
- The sandboxed process can be crashed or destabilized, disrupting browser availability for the victim.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-11049 is matched against all customer images within minutes of ingestion from upstream advisory feeds. For environments where Chrome is bundled in a container image, a rebuild at the patched version 149.0.7827.53 is available as soon as the image is identified as affected. For customers who opt into auto-remediation, HarborGuard can trigger a full rebuild, execute a regression-test run, and open a pull request against affected workloads automatically; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit automated remediation, the finding is surfaced in the HarborGuard dashboard with fix-version detail and routed to the team responsible for the affected image.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H