CVE-2026-11059: Use after free in Blink in Google Chrome prior to 149
Use after free in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in Blink, the rendering engine inside Google Chrome, affects all Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but a victim must open a crafted HTML page delivered by the attacker. Successful exploitation gives the attacker arbitrary code execution inside Chrome's renderer sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary.
AvailableHarborGuard scores this finding at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing, surfacing it to the appropriate team inbox inside each customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment whose scanned images include an affected Chrome version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to fetch the attacker-controlled HTML page.
- AuthenticationNot required
No account or credential is needed on any system; the attacker only needs to serve a malicious page.
- Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or malicious-link scenario.
- Attack complexityDetail
Exploit reliability is high and requires no special environmental conditions, race conditions, or memory-layout dependencies.
Blast Radius
- The attacker executes arbitrary code inside Chrome's renderer sandbox, gaining full control of the rendering process handling the victim's tab.
- Confidential data processed in the affected browsing context, including page content, stored credentials auto-filled by the browser, and session tokens, is readable by the attacker.
- The attacker can modify in-page data and trigger network requests from the victim's browser, enabling tampering with web application state.
- The affected renderer process can be crashed or destabilized, disrupting the victim's session and any background tasks tied to that process.
How HarborGuard Handles This
Available on HarborGuard: images containing a Chrome binary older than 149.0.7827.53 are flagged automatically as soon as the CVE feed is ingested, typically within minutes of publication. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image at the patched version, runs a regression test suite against it, and opens a pull request targeting affected workloads; for HIGH-severity issues the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding is routed to the designated security inbox with full CVSS context and fix-version detail so teams can act manually. Given that exploitation requires only a single user click and no authentication, prioritizing this update is advised for any image or workload that ships or embeds a Chrome or Chromium binary.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H