How is CVE-2026-11055 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the targeted Chrome instance must be reachable in the sense that the user can browse to an attacker-controlled URL. Authentication (not-required): No account or credentials are needed; any unauthenticated remote attacker who can serve a crafted HTML page can attempt exploitation. Victim interaction (required): The victim must navigate to or open a crafted HTML page, making this a social-engineering vector that requires a user action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-11055?

The attacker executes arbitrary code in the context of the Chrome renderer process, gaining code execution inside the sandbox. Confidential data accessible to the renderer, such as page contents, stored credentials surfaced by autofill, and session tokens, can be read. The attacker can tamper with page data and browser state, including modifying rendered content or injecting further malicious scripts. The renderer process can be crashed or destabilized, disrupting the browsing session for the affected user.

Back to search

HIGHCVE-2026-11055Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11055: Use after free in ANGLE in Google Chrome on Windows prior to 149

Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in ANGLE, the graphics-translation layer used by Google Chrome on Windows, in versions prior to 149.0.7827.53. The flaw is reachable over the network with no prior authentication, but requires a user to visit a crafted HTML page. Successful exploitation allows a remote attacker to execute arbitrary code inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11055 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium-based components.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and is capable of weighting that score against each environment's compliance policy to route findings to the appropriate team or inbox within the customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment whose scanned images include an affected Chrome version. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run regression tests, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the targeted Chrome instance must be reachable in the sense that the user can browse to an attacker-controlled URL.
AuthenticationNot required
No account or credentials are needed; any unauthenticated remote attacker who can serve a crafted HTML page can attempt exploitation.
Victim interactionRequired
The victim must navigate to or open a crafted HTML page, making this a social-engineering vector that requires a user action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

The attacker executes arbitrary code in the context of the Chrome renderer process, gaining code execution inside the sandbox.
Confidential data accessible to the renderer, such as page contents, stored credentials surfaced by autofill, and session tokens, can be read.
The attacker can tamper with page data and browser state, including modifying rendered content or injecting further malicious scripts.
The renderer process can be crashed or destabilized, disrupting the browsing session for the affected user.

How HarborGuard Handles This

Available on HarborGuard: any customer image that packages Chrome or a Chromium-based browser on Windows is matched against this CVE at ingest time. For environments confirmed to be running a version below 149.0.7827.53, a rebuilt image at the fix version is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes the configured regression-test suite, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding appears in the HarborGuard dashboard with the fix version cited so engineers can act manually. Because the exploit requires victim interaction via a crafted page, network-policy controls that restrict outbound browsing from container workloads serve as a useful compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available