How is CVE-2026-11061 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing a victim to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No account credentials or prior authentication are needed; any unauthenticated remote attacker can attempt exploitation. Victim interaction (required): The victim must open a crafted HTML page in a vulnerable Chrome instance, meaning the attacker must socially engineer or redirect a user to that page. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or non-default configuration.

What is the impact of CVE-2026-11061?

Attacker escapes Chrome's renderer sandbox, gaining code execution in a more privileged process context outside normal browser containment. Confidential data accessible to the browser process, including stored credentials, session tokens, and local files, becomes readable to the attacker. The attacker can write or modify files and data on the host system within the reach of the compromised process. The compromised process can be used to crash or destabilize affected services, causing denial of service to the host environment.

Back to search

CRITICALCVE-2026-11061Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11061: Type Confusion in ANGLE in Google Chrome prior to 149

Type Confusion in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A type confusion vulnerability in ANGLE (Chrome's OpenGL ES translation layer) affects Google Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require a victim to visit a crafted HTML page. Successful exploitation allows a remote attacker to escape Chrome's renderer sandbox, gaining the ability to read data, modify files, and disrupt services outside the browser's normal containment boundary. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11061 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from Chrome-based base layers.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 9.6 (Critical) and weighting it against each environment's compliance policy to determine priority; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing a victim to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No account credentials or prior authentication are needed; any unauthenticated remote attacker can attempt exploitation.
Victim interactionRequired
The victim must open a crafted HTML page in a vulnerable Chrome instance, meaning the attacker must socially engineer or redirect a user to that page.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or non-default configuration.

Blast Radius

Attacker escapes Chrome's renderer sandbox, gaining code execution in a more privileged process context outside normal browser containment.
Confidential data accessible to the browser process, including stored credentials, session tokens, and local files, becomes readable to the attacker.
The attacker can write or modify files and data on the host system within the reach of the compromised process.
The compromised process can be used to crash or destabilize affected services, causing denial of service to the host environment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11061 is active across all connected environments as soon as the CVE enters upstream feeds. For environments running Chrome-based images at versions below 149.0.7827.53, a patched rebuild at 149.0.7827.53 is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image, executes a regression run, and opens a pull request against impacted workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with full CVSS detail and remediation guidance so teams can act manually. Given the sandbox-escape impact and the network-reachable, zero-authentication attack path requiring only a victim page visit, prioritizing this rebuild is strongly advisable.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available