How is CVE-2026-11058 exploited?

Network reachability (required): The attacker must reach the victim over the network by delivering a crafted HTML page, making the service's network exposure a prerequisite. Authentication (not-required): No account or credentials are needed to initiate the attack; the attacker operates as an unauthenticated remote party. Victim interaction (required): The victim must load a crafted HTML page in the browser, requiring a social-engineering step such as clicking a malicious link. Attack complexity (info): Exploitation is high-complexity because the attacker must first have compromised the Chrome renderer process before the integer overflow can be leveraged for privilege escalation.

What is the impact of CVE-2026-11058?

A successful attacker gains elevated OS-level privileges on the affected Windows host, moving beyond the Chrome sandbox. With elevated privileges, the attacker can read sensitive files and credentials stored on the host, including those outside the browser's normal access scope. The attacker can modify system configuration, install persistent software, or tamper with other processes running on the same host. Availability of the host can be disrupted by terminating critical processes or corrupting system state.

Back to search

HIGHCVE-2026-11058Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11058: Integer overflow in CredentialProvider in Google Chrome on Windows prior to 149

Integer overflow in CredentialProvider in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform OS-level privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in the CredentialProvider component of Google Chrome on Windows allows a remote attacker who has already compromised the browser's renderer process to escalate privileges at the operating system level. The attack requires network reachability, no authentication, victim interaction to load a crafted HTML page, and a high-complexity precondition: the attacker must first have renderer-level access. Successful exploitation grants the attacker elevated OS privileges, enabling broad control over the affected Windows host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11058 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium installation on Windows base layers.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to surface it at the appropriate severity tier, routing findings to the correct team inbox within each org.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by delivering a crafted HTML page, making the service's network exposure a prerequisite.
AuthenticationNot required
No account or credentials are needed to initiate the attack; the attacker operates as an unauthenticated remote party.
Victim interactionRequired
The victim must load a crafted HTML page in the browser, requiring a social-engineering step such as clicking a malicious link.
Attack complexityDetail
Exploitation is high-complexity because the attacker must first have compromised the Chrome renderer process before the integer overflow can be leveraged for privilege escalation.

Blast Radius

A successful attacker gains elevated OS-level privileges on the affected Windows host, moving beyond the Chrome sandbox.
With elevated privileges, the attacker can read sensitive files and credentials stored on the host, including those outside the browser's normal access scope.
The attacker can modify system configuration, install persistent software, or tamper with other processes running on the same host.
Availability of the host can be disrupted by terminating critical processes or corrupting system state.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against every image in a customer's registry within minutes of ingestion, covering custom Windows-based images that include a Chrome or Chromium binary. For environments where an affected Chrome version is identified, a rebuild pinned to 149.0.7827.53 is made available. For customers who opt into auto-remediation, HarborGuard triggers a full rebuild, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS context and affected image details attached.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available