How is CVE-2026-11076 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the service must be reachable from an external network origin. Authentication (not-required): No account or credentials of any kind are required; the attacker can target any user who visits the malicious page. Victim interaction (required): The victim must visit or be redirected to a crafted HTML page, meaning the attacker depends on a social-engineering or redirect step to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental prerequisites.

What is the impact of CVE-2026-11076?

Arbitrary code executes inside the Chrome renderer sandbox, giving the attacker control over the renderer process. The attacker reads data processed by the renderer, including page content, session tokens, and credentials entered in the browser. The attacker modifies in-browser state, potentially altering rendered content or intercepting form submissions. The renderer process crashes or is made unavailable, disrupting the user's browsing session for affected pages.

Back to search

HIGHCVE-2026-11076Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11076: Type Confusion in CSS in Google Chrome prior to 149

Type Confusion in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A type confusion vulnerability in the CSS engine of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the browser sandbox by tricking a user into visiting a crafted HTML page. The attack is reachable over the network, requires no authentication, but does require the victim to interact with a malicious page. Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11076 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle Chrome or Chromium. Coverage extends to both registry scans and active CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can execute a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the service must be reachable from an external network origin.
AuthenticationNot required
No account or credentials of any kind are required; the attacker can target any user who visits the malicious page.
Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, meaning the attacker depends on a social-engineering or redirect step to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental prerequisites.

Blast Radius

Arbitrary code executes inside the Chrome renderer sandbox, giving the attacker control over the renderer process.
The attacker reads data processed by the renderer, including page content, session tokens, and credentials entered in the browser.
The attacker modifies in-browser state, potentially altering rendered content or intercepting form submissions.
The renderer process crashes or is made unavailable, disrupting the user's browsing session for affected pages.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11076 activates within minutes of the advisory entering upstream feeds, matching against any image in a customer registry or pipeline that bundles Chrome or Chromium below version 149.0.7827.53. Where compliance policy permits, a patched-image rebuild at version 149.0.7827.53 becomes available automatically; for customers who opt into auto-remediation, HarborGuard executes the rebuild, runs a regression test, and opens a pull request against affected workloads. For HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not configured, HarborGuard surfaces the finding with CVSS scoring and policy-weighted priority so teams can act manually. Compensating controls worth considering while a rebuild is staged include network-policy rules that restrict which workloads can serve or fetch arbitrary HTML, and egress filtering to limit renderer-process outbound connections.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available