CVE-2026-11060: Use after free in Media in Google Chrome on Windows prior to 149
Use after free in Media in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Media component of Google Chrome on Windows allows a remote attacker to execute arbitrary code inside the browser sandbox. The vulnerability is reachable over the network with no authentication required, but the victim must visit a crafted HTML page. Successful exploitation gives the attacker code execution within the Chrome sandbox, which combined with a sandbox escape could lead to full system compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.
AvailableHarborGuard scores this CVE at CVSS 8.8 (HIGH) and can weight that score against each customer organization's compliance policy to route actionable alerts to the appropriate team inbox.
AvailableA patched-image rebuild at Chrome version 149.0.7827.53 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to reach an attacker-controlled or compromised web page.
- AuthenticationNot required
No account or credential is needed; any unauthenticated user who browses to the crafted page is exposed.
- Victim interactionRequired
The victim must visit a crafted HTML page, making social engineering (phishing link, malicious ad, compromised site) a necessary part of the attack chain.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific conditions to trigger.
Blast Radius
- The attacker executes arbitrary code within the Chrome renderer sandbox on the victim's Windows host.
- Confidential data processed by the browser (session tokens, form input, cached credentials) is readable by the attacker's injected code.
- The attacker can modify or corrupt in-browser state, including DOM content and stored site data accessible to the renderer.
- A sandbox escape chained to this vulnerability would give the attacker full user-level access to the underlying Windows host.
How HarborGuard Handles This
Available on HarborGuard: images containing Google Chrome prior to 149.0.7827.53 on Windows are flagged immediately upon CVE ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at the fixed version (149.0.7827.53), runs regression tests, and opens a patch PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS context and fix-version detail so engineering teams can act directly. In the interim, network policy rules that restrict end-user access to untrusted external sites reduce exposure for browser-bundling images.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H