How is CVE-2026-11070 exploited?

Network reachability (required): The attacker must reach the target over the network, as the vulnerability is exposed through network traffic processed by Chrome's network process. Authentication (not-required): No credentials or account are needed; the attacker can send malicious network traffic without authenticating to the target. Victim interaction (required): A user must be actively running a Chrome session that processes the attacker's malicious network traffic, implying a social-engineering or session-hijacking setup is needed to put the victim in reach. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors, though it does require a prior network process compromise as a precondition.

What is the impact of CVE-2026-11070?

An attacker escapes the Chrome sandbox entirely, gaining code execution outside the browser's isolated process on the Windows host. Confidential data accessible to the host user process, including stored credentials, session tokens, and local files, becomes readable. The attacker can write or modify files and data on the host, tampering with application state or planting persistent access. The attacker can crash or disrupt the host-level process, causing denial of service to the affected workload.

Back to search

CRITICALCVE-2026-11070Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11070: Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 149

Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the network process to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the Chromoting component of Google Chrome on Windows, affecting versions prior to 149.0.7827.53. The flaw is reachable over the network without authentication, but requires a user to interact with a browser session and assumes the attacker has already compromised the network process. Successful exploitation allows a full sandbox escape, giving the attacker high-impact read, write, and denial-of-service capabilities outside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11070 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium installation on Windows base layers.

Available

Triage

HarborGuard is capable of scoring this CVE at its full CVSS v3.1 rating of 9.6 (Critical) and weighting that score against each environment's compliance policy to surface it at the appropriate priority. Routing to the correct team inbox within each customer organization is handled automatically based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target over the network, as the vulnerability is exposed through network traffic processed by Chrome's network process.
AuthenticationNot required
No credentials or account are needed; the attacker can send malicious network traffic without authenticating to the target.
Victim interactionRequired
A user must be actively running a Chrome session that processes the attacker's malicious network traffic, implying a social-engineering or session-hijacking setup is needed to put the victim in reach.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors, though it does require a prior network process compromise as a precondition.

Blast Radius

An attacker escapes the Chrome sandbox entirely, gaining code execution outside the browser's isolated process on the Windows host.
Confidential data accessible to the host user process, including stored credentials, session tokens, and local files, becomes readable.
The attacker can write or modify files and data on the host, tampering with application state or planting persistent access.
The attacker can crash or disrupt the host-level process, causing denial of service to the affected workload.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11070 is active across all connected registries and pipelines, matching any image that bundles an affected Chrome build on a Windows layer. Given the Critical severity rating of 9.6, this CVE is surfaced at the highest priority tier and routed according to each environment's compliance policy. Where compliance policy permits auto-remediation, HarborGuard is capable of rebuilding the affected image at Chrome 149.0.7827.53, executing a regression test run, and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that require manual approval, the rebuilt image at the fixed version is staged and ready for promotion as soon as the responsible team reviews and approves.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available