How is CVE-2026-11052 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin (AV:N). Authentication (not-required): No account or credential is needed; the attacker requires no prior authentication on any system (PR:N). Victim interaction (required): The victim must visit or interact with the attacker-controlled page in Chrome, making this a user-interaction-dependent attack (UI:R). Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout (AC:L).

What is the impact of CVE-2026-11052?

An attacker who triggers the type confusion escapes the Chrome renderer sandbox and gains code execution in a higher-privilege Windows process outside the sandbox boundary. With sandbox escape achieved, the attacker reads files, credentials, and session material accessible to the Windows user running Chrome. The attacker writes or modifies files and registry entries on the host, enabling persistence mechanisms or lateral-movement staging. The attacker crashes or destabilizes host processes, causing denial of service to the affected Windows endpoint.

Back to search

CRITICALCVE-2026-11052Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11052: Type Confusion in GPU in Google Chrome on Windows prior to 149

Type Confusion in GPU in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A type confusion vulnerability in the GPU component of Google Chrome on Windows (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The attack is reachable over the network, requires no authentication, but does need the victim to visit or interact with a malicious page. Successful exploitation gives the attacker full read, write, and execution capability outside the Chrome sandbox on the affected Windows host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in all connected registries and CI pipelines, including custom-built images that bundle a Chrome or Chromium installation.

Available

Triage

HarborGuard scores this CVE at 9.6 CRITICAL using the CVSS v3.1 vector and surfaces it with that rating in each customer org; per-environment compliance policy weighting can escalate or suppress routing, and the finding is dispatched to the inbox or ticket queue configured for the relevant team.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, the platform triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin (AV:N).
AuthenticationNot required
No account or credential is needed; the attacker requires no prior authentication on any system (PR:N).
Victim interactionRequired
The victim must visit or interact with the attacker-controlled page in Chrome, making this a user-interaction-dependent attack (UI:R).
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout (AC:L).

Blast Radius

An attacker who triggers the type confusion escapes the Chrome renderer sandbox and gains code execution in a higher-privilege Windows process outside the sandbox boundary.
With sandbox escape achieved, the attacker reads files, credentials, and session material accessible to the Windows user running Chrome.
The attacker writes or modifies files and registry entries on the host, enabling persistence mechanisms or lateral-movement staging.
The attacker crashes or destabilizes host processes, causing denial of service to the affected Windows endpoint.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image in a connected registry or pipeline that bundles a pre-149.0.7827.53 Chrome build on Windows, including internal images. Given the CRITICAL severity (9.6), this CVE is prioritized for fast triage routing. For customers with auto-remediation enabled, HarborGuard can rebuild the affected image at the fixed version, run a regression test suite against the new image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high and critical severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is queued for manual review with fix-version context included. Customers who cannot immediately rebuild are advised to apply network-policy controls that restrict which workloads can serve or load arbitrary external HTML, reducing the social-engineering surface until a patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available