How is CVE-2026-11077 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the targeted Chrome instance must be able to reach and render an attacker-controlled HTML page. Authentication (not-required): No credentials or account are needed; any unauthenticated attacker who can serve a page to the victim can attempt exploitation. Victim interaction (required): The victim must visit a crafted HTML page, making this a social-engineering vector requiring the attacker to lure the user to a malicious URL. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-11077?

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control over the sandboxed process. Reads sensitive in-browser data such as session tokens, stored credentials, and page content from the compromised renderer. Modifies in-browser state and can interact with web content on behalf of the victim within the sandbox. If chained with a sandbox escape, achieves full code execution on the underlying host with the privileges of the Chrome process.

Back to search

HIGHCVE-2026-11077Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11077: Bad cast in Dawn in Google Chrome prior to 149

Bad cast in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A bad cast vulnerability in Dawn, the graphics backend used by Google Chrome, allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though a victim must visit a malicious page. Successful exploitation gives an attacker code execution within the Chrome sandbox, which combined with a sandbox escape could lead to full system compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11077 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. Coverage includes custom-built images that bundle Chrome or Chromium as a dependency.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (High) and weighting findings against each environment's compliance policy to surface the alert at the appropriate severity. Routing to the correct team inbox within each customer organization is available based on per-environment ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the targeted Chrome instance must be able to reach and render an attacker-controlled HTML page.
AuthenticationNot required
No credentials or account are needed; any unauthenticated attacker who can serve a page to the victim can attempt exploitation.
Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering vector requiring the attacker to lure the user to a malicious URL.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control over the sandboxed process.
Reads sensitive in-browser data such as session tokens, stored credentials, and page content from the compromised renderer.
Modifies in-browser state and can interact with web content on behalf of the victim within the sandbox.
If chained with a sandbox escape, achieves full code execution on the underlying host with the privileges of the Chrome process.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome versions prior to 149.0.7827.53 are flagged automatically as this CVE enters the ingestion pipeline. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression check, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS score, affected image list, and remediation instructions attached. Because this vulnerability requires victim interaction via a crafted page, customers who cannot immediately patch should consider network-policy controls that restrict which hosts Chrome-based workloads can reach, reducing the attacker's ability to serve a malicious page.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available