How is CVE-2026-11068 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the target Chrome instance must be able to reach an attacker-controlled or compromised web origin. Authentication (not-required): No account or credential is needed; any unauthenticated remote attacker can serve the malicious page. Victim interaction (required): The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by-delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race condition, specific memory layout, or other environmental precondition to succeed.

What is the impact of CVE-2026-11068?

A successful attacker executes arbitrary code inside the Chrome renderer sandbox, gaining a foothold for further browser-level exploitation. With code execution inside the sandbox, an attacker reads data accessible to the browser process, including session tokens, cookies, and page content from open tabs. The attacker can modify browser state or inject content into pages the victim is viewing, enabling credential theft or data tampering. The Chrome process can be crashed or made unresponsive, disrupting the victim's browsing session.

Back to search

HIGHCVE-2026-11068Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11068: Use after free in WebSockets in Google Chrome prior to 149

Use after free in WebSockets in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the WebSockets implementation of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but a victim must visit a crafted HTML page for exploitation to succeed. Successful exploitation allows a remote attacker to execute arbitrary code inside the Chrome sandbox, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11068 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle a Chrome or Chromium binary. Any image containing a Chrome version below 149.0.7827.53 is flagged automatically in connected registries and CI pipelines.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be able to reach an attacker-controlled or compromised web origin.
AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker can serve the malicious page.
Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by-delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race condition, specific memory layout, or other environmental precondition to succeed.

Blast Radius

A successful attacker executes arbitrary code inside the Chrome renderer sandbox, gaining a foothold for further browser-level exploitation.
With code execution inside the sandbox, an attacker reads data accessible to the browser process, including session tokens, cookies, and page content from open tabs.
The attacker can modify browser state or inject content into pages the victim is viewing, enabling credential theft or data tampering.
The Chrome process can be crashed or made unresponsive, disrupting the victim's browsing session.

How HarborGuard Handles This

Available on HarborGuard: any image containing Chrome below 149.0.7827.53 is detected and flagged within minutes of CVE ingestion, with no manual scan trigger required. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version (149.0.7827.53), runs a regression test pass, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who review and apply patches manually, the rebuilt image is staged and ready in the HarborGuard patch queue as soon as the fix version is confirmed. Where compliance policy permits, enabling auto-remediation is the fastest path to closing this vulnerability given its low attack complexity and lack of authentication requirement.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available