CVE-2026-11054: Use after free in WebRTC in Google Chrome prior to 149
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the WebRTC component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a user to a crafted HTML page. The flaw is reachable over the network and requires no authentication, only a single user interaction (visiting the malicious page). Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-11054 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard is capable of scoring this CVE at 8.8 HIGH using its CVSS v3.1 vector and weighting the finding against each environment's compliance policy, then routing the alert to the appropriate team inbox within the customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected Chrome or Chromium version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the target must be able to reach (or be directed to) an attacker-controlled web server.
- AuthenticationNot required
No account or credential is needed; any anonymous user can be targeted.
- Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering-dependent exploit (for example, via a phishing link or malicious advertisement).
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- The attacker executes arbitrary code inside the Chrome renderer sandbox, gaining full control of the sandboxed process.
- With renderer-level code execution, the attacker can read any data the page has access to, including session tokens, form inputs, and cookies.
- The attacker can modify page state and browser-mediated storage, potentially tampering with data the victim submits or receives.
- The renderer process can be crashed or made unresponsive, disrupting the user's browsing session.
How HarborGuard Handles This
Available on HarborGuard: image scanning for CVE-2026-11054 runs against all registered images, including custom images that bundle Chrome or Chromium, within minutes of the advisory being ingested. For environments where the affected version is detected, a rebuild at Chrome 149.0.7827.53 is made available automatically. Where compliance policy permits auto-remediation, HarborGuard can complete the rebuild, execute regression tests, and open a PR against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments that do not permit automated changes, the finding appears in the triage queue with CVSS scoring, affected image inventory, and remediation guidance so teams can act manually.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H