HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11063Published Modified CNA Chrome

CVE-2026-11063: Insufficient validation of untrusted input in WebNN in Google Chrome on Windows prior to 149

Insufficient validation of untrusted input in WebNN in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in Google Chrome's WebNN component on Windows, caused by insufficient validation of untrusted input. The flaw is reachable over the network and requires no authentication, but does require a victim to interact with a crafted HTML page; exploitation also requires that the attacker has already compromised the renderer process. Successful exploitation allows a remote attacker to break out of Chrome's sandbox, gaining capabilities beyond the browser process, including full confidentiality, integrity, and availability impact on the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11063 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and active pipelines, including custom-built images that bundle a Chromium or Chrome binary.

Available
Triage

HarborGuard scores this CVE at 9.6 CRITICAL using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine breach-of-threshold routing; triage findings are dispatched to the appropriate team inbox within each customer organization based on configured escalation rules.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard as soon as the fix version is confirmed in upstream advisory feeds. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing a victim to a crafted HTML page, so the vulnerable Chrome instance must be reachable from an internet-facing or network-adjacent context.

  • AuthenticationNot required

    No account or credential of any kind is needed; the attack can be launched by any unauthenticated remote party.

  • Victim interactionRequired

    The victim must open or be redirected to a crafted HTML page, making social engineering or a malicious-link delivery mechanism a prerequisite.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout; however, the attacker must separately have compromised the renderer process before leveraging this sandbox escape.

Blast Radius

  • Attacker escapes Chrome's sandbox and executes code at the privilege level of the browser process on the Windows host, bypassing the containment layer that normally limits renderer compromise.
  • Full confidentiality impact: the escaped process reads files, credentials, and session data accessible to the Chrome user account on the host.
  • Full integrity impact: the escaped process writes or modifies files, registry keys, and persisted data on the host.
  • Full availability impact: the escaped process can terminate processes, corrupt data, or otherwise crash or destabilize the host environment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11063 is matched against any image that bundles a Chrome or Chromium binary below version 149.0.7827.53, including custom application images that ship Chrome as a dependency. A rebuilt image at the patched version is made available as soon as the fix is confirmed in upstream feeds. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at 149.0.7827.53, runs a regression test pass against the new image, and opens a pull request against affected workloads; for environments with auto-remediation enabled, the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes. Where compliance policy requires manual approval before patching, the triage finding is routed to the appropriate inbox so the team can act immediately. Given the critical CVSS score and the sandbox-escape impact, teams that cannot patch immediately should consider network-policy controls that restrict which container workloads are permitted to run a browser process, and egress filtering to limit outbound connections from those workloads.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References