HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11056Published Modified CNA Chrome

CVE-2026-11056: Insufficient validation of untrusted input in SiteIsolation in Google Chrome on Windows prior to 149

Insufficient validation of untrusted input in SiteIsolation in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in Google Chrome's SiteIsolation component on Windows. An attacker who has already compromised the renderer process can exploit insufficient input validation by directing a victim to a crafted HTML page, allowing the attacker to break out of Chrome's security sandbox. Successful exploitation gives the attacker full code execution in the context of the browser process, bypassing the isolation that normally contains renderer-level compromises. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Chrome security advisory and NVD) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) and applies per-environment compliance policy weighting to determine urgency and routing, directing alerts to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target must be reachable to receive and load attacker-controlled web content.

  • AuthenticationNot required

    No account or credentials are needed; any user who visits the crafted page is exposed.

  • Victim interactionRequired

    The victim must navigate to or be redirected to the attacker's crafted HTML page, making this a social-engineering or drive-by scenario.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the attacker having a compromised renderer process.

Blast Radius

  • The attacker escapes Chrome's renderer sandbox and executes arbitrary code in the higher-privileged browser process on the victim's Windows host.
  • With browser-process access, the attacker reads files and credentials accessible to the logged-in user, including cookies, saved passwords, and local documents.
  • The attacker writes or modifies files on the host filesystem within the user's permission scope, enabling persistence mechanisms such as dropping executables or altering startup entries.
  • The compromised browser process can be leveraged to crash or destabilize Chrome, disrupting the user's session and any dependent web-based workflows.

How HarborGuard Handles This

Available on HarborGuard: any image that bundles Google Chrome for Windows is scanned on ingest and flagged if it includes a version below 149.0.7827.53. A rebuilt image at the patched version is made available immediately. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads; for Critical-severity findings the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers whose compliance policy does not permit automatic changes, the finding appears in the triage queue with full CVSS detail and remediation guidance so the responsible team can act manually. Because this vulnerability requires a pre-compromised renderer process as a prerequisite, teams should also consider network-policy controls that restrict outbound connections from containerized browser workloads as a compensating control while rollout is in progress.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References