How is CVE-2026-11065 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely. Authentication (not-required): No account or credentials are needed; the attacker interacts with the browser as an anonymous remote party. Victim interaction (required): The victim must visit a crafted HTML page, meaning the attacker must use a phishing or drive-by delivery method to lure the target. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the prerequisite renderer compromise.

What is the impact of CVE-2026-11065?

The attacker escapes the Chrome sandbox and executes arbitrary code in the context of the browser process on the host. With code execution outside the sandbox, the attacker reads files, stored credentials, and session data accessible to the browser process. The attacker modifies or deletes files and browser-stored data within the reach of the compromised process. The attacker can crash or destabilize the browser process, disrupting availability for the affected user.

Back to search

CRITICALCVE-2026-11065Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11065: Use after free in ANGLE in Google Chrome prior to 149

Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in ANGLE (the graphics abstraction layer) affects Google Chrome versions prior to 149.0.7827.53. The bug is reachable over the network without authentication, but requires the attacker to have already compromised the renderer process and to trick the victim into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker code-execution capabilities outside the Chrome sandbox with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11065 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or ship Chrome. Any image carrying a vulnerable Chrome version is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and applies per-environment compliance policy weighting to determine urgency and routing. Each customer organization receives findings in the inbox or ticketing integration configured for their environment, prioritized according to their own risk thresholds.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely.
AuthenticationNot required
No account or credentials are needed; the attacker interacts with the browser as an anonymous remote party.
Victim interactionRequired
The victim must visit a crafted HTML page, meaning the attacker must use a phishing or drive-by delivery method to lure the target.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the prerequisite renderer compromise.

Blast Radius

The attacker escapes the Chrome sandbox and executes arbitrary code in the context of the browser process on the host.
With code execution outside the sandbox, the attacker reads files, stored credentials, and session data accessible to the browser process.
The attacker modifies or deletes files and browser-stored data within the reach of the compromised process.
The attacker can crash or destabilize the browser process, disrupting availability for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11065 is active across all connected registries and CI pipelines, matching images that ship Chrome against the affected version range. For environments where a patched rebuild is applicable, a new image based on Chrome 149.0.7827.53 is made available as soon as the fix version is confirmed. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads; for Critical-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with version pinning guidance so engineering teams can act on their own schedule.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available