CVE-2026-11074: Use after free in WebRTC in Google Chrome on Linux prior to 149
Use after free in WebRTC in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in WebRTC affects Google Chrome on Linux prior to version 149.0.7827.53. The flaw is reachable over the network with no authentication required, but a victim must visit a crafted HTML page for exploitation to succeed. Successful exploitation gives the attacker arbitrary code execution on the victim's machine. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-11074 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Google Chrome on Linux.
AvailableHarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each environment's compliance policy to determine urgency; triage findings are routed to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to reach a remote attacker-controlled HTML page.
- AuthenticationNot required
No account or credential of any kind is required; any unauthenticated remote attacker can serve the malicious page.
- Victim interactionRequired
The victim must navigate to or be socially engineered into loading a crafted HTML page in an affected Chrome browser.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout guessing, or other variable environmental factors.
Blast Radius
- Arbitrary code executes in the context of the Chrome renderer process on the victim's Linux host.
- Confidentiality is fully compromised: the attacker can read files, session tokens, and in-memory secrets accessible to the browser process.
- Integrity is fully compromised: the attacker can write, modify, or delete data accessible to the browser process.
- Availability is fully compromised: the attacker can crash or hang the browser process and potentially disrupt dependent services running under the same user account.
How HarborGuard Handles This
Available on HarborGuard: any container image that bundles Google Chrome on Linux at a version below 149.0.7827.53 is flagged as affected by this CVE within minutes of the advisory being ingested. Where compliance policy permits, HarborGuard can rebuild the image at Chrome 149.0.7827.53, execute a regression run, and open a pull request against the affected workload; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 8.8 scoring and routes it to the designated team inbox so engineers can act on it manually. As a compensating control while a rebuild is staged, network policy can be tightened to restrict outbound browser access to untrusted origins, reducing the surface available for a crafted-page delivery attack.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H