How is CVE-2026-11066 exploited?

Network reachability (required): The attacker delivers the exploit over the network by luring the victim to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No account or credential is needed; any unauthenticated visitor to the malicious page is a valid target. Victim interaction (required): The victim must open the crafted HTML page in an affected Chrome version, making this a social-engineering or drive-by-browsing scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout assumptions, or environmental dependencies.

What is the impact of CVE-2026-11066?

Attacker breaks out of the Chrome renderer sandbox, gaining code execution in the context of the browser process on the host operating system. With sandbox escape achieved, the attacker can read files and credentials stored on the host, including session tokens, SSH keys, and locally cached secrets. The attacker can write or modify files on the host filesystem, enabling persistence mechanisms such as dropping malicious binaries or altering startup scripts. The attacker can crash or destabilize the host process, causing service disruption for the affected user or system.

Back to search

CRITICALCVE-2026-11066Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11066: Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient input validation in ANGLE (Almost Native Graphics Layer Engine), the graphics translation layer bundled with Google Chrome, allows a remote attacker to escape the Chrome sandbox via a crafted HTML page. The vulnerability is reachable over the network with no authentication required, but the victim must visit a malicious page. Successful exploitation gives the attacker full read, write, and crash capabilities outside the browser sandbox, effectively achieving remote code execution on the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or layer on top of Chrome. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and surfaces it with that severity weighting in each customer environment. Per-environment compliance policy rules can further escalate or route the finding to the appropriate team inbox based on asset classification or regulatory profile.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by luring the victim to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No account or credential is needed; any unauthenticated visitor to the malicious page is a valid target.
Victim interactionRequired
The victim must open the crafted HTML page in an affected Chrome version, making this a social-engineering or drive-by-browsing scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout assumptions, or environmental dependencies.

Blast Radius

Attacker breaks out of the Chrome renderer sandbox, gaining code execution in the context of the browser process on the host operating system.
With sandbox escape achieved, the attacker can read files and credentials stored on the host, including session tokens, SSH keys, and locally cached secrets.
The attacker can write or modify files on the host filesystem, enabling persistence mechanisms such as dropping malicious binaries or altering startup scripts.
The attacker can crash or destabilize the host process, causing service disruption for the affected user or system.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical sandbox-escape CVE is active across all customer environments, matching any image that ships Chrome below 149.0.7827.53. Where compliance policy permits, a patched-image rebuild at 149.0.7827.53 is queued automatically; for customers with auto-remediation enabled, HarborGuard performs the rebuild, executes regression tests against the updated image, and opens a pull request against affected workloads. For high and critical severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Given the critical severity and the browser-facing, zero-authentication exploit path, upgrading to 149.0.7827.53 or later should be treated as an immediate priority. Until patched images are deployed, consider network-policy controls that restrict outbound connectivity from hosts running affected Chrome versions and browser-policy configurations that block navigation to untrusted origins.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available