HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11071Published Modified CNA Chrome

CVE-2026-11071: Use after free in Base in Google Chrome on Linux prior to 149

Use after free in Base in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in the Base component of Google Chrome on Linux (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to read arbitrary regions of process memory by serving a crafted HTML page. The attack is reachable over the network and requires no authentication, though it does require the victim to visit a malicious page. Successful exploitation exposes sensitive data held in memory, including session tokens, credentials, or other in-process secrets. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-11071 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome binary. Coverage extends to both registry scans and active CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 (High) and weights it against each environment's compliance policy before routing the finding to the appropriate team inbox within the customer org. Per-environment factors such as internet-facing workloads or privileged-data classifications can further elevate the effective priority.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable or browsing to an attacker-controlled origin.

  • AuthenticationNot required

    No account or credential on the target system is needed; any unauthenticated remote attacker can serve the malicious page.

  • Victim interactionRequired

    The victim must open or be redirected to a crafted HTML page in the affected Chrome browser, making this a social-engineering or malicious-ad delivery scenario.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors, though it does require a prior renderer compromise as a precondition.

Blast Radius

  • Reads arbitrary regions of the renderer process memory, exposing in-process secrets such as session tokens, cached credentials, and decrypted page content.
  • Exfiltrates any sensitive data the compromised renderer currently holds, including form autofill values and authentication cookies loaded in active tabs.
  • The CVSS integrity and availability scores are both High, so depending on the attacker's follow-on capability, in-memory data structures can be corrupted and the affected process can be crashed.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11071 is active across all connected registries and pipelines, matching any image that packages Chrome on Linux below 149.0.7827.53. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version, runs regression tests, and opens a PR against the affected workload; for high-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is surfaced in the customer's triage queue with the CVSS 8.8 score and fix-version detail so engineering teams can action it manually. Customers who cannot upgrade immediately should consider network-policy controls that restrict which workloads can load arbitrary external HTML, reducing the social-engineering surface while the patch is staged.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References