How is CVE-2026-11079 exploited?

Network reachability (required): The attacker delivers the malicious video file over the network, so the victim's browser must be reachable or the victim must browse to an attacker-controlled resource. Authentication (not-required): No account or credential of any kind is needed; the attack works against any unauthenticated visitor who opens the crafted file. Victim interaction (required): The victim must open or play a crafted video file, making this a social-engineering attack that requires the attacker to lure the user to malicious content. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

What is the impact of CVE-2026-11079?

The attacker writes arbitrary data outside the intended buffer in the Codecs component, which can corrupt heap memory used by the browser process. With high confidentiality impact, the attacker reads in-memory content such as session tokens, saved credentials, and page data from the current browser context. With high integrity impact, the attacker modifies in-process data structures, enabling code injection or manipulation of rendered page content. With high availability impact, the attacker crashes the browser process or destabilizes it in a way that causes a denial of service for the affected user.

Back to search

HIGHCVE-2026-11079Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11079: Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149

Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory write via a crafted video file. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds memory write vulnerability exists in the Codecs component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require a victim to open a crafted video file, placing it in the social-engineering category. Successful exploitation gives the attacker full read, write, and crash capability within the browser process, opening the door to remote code execution or data theft. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11079 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registered registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary.

Available

Triage

Triage is available with the full CVSS v3.1 score of 8.8 (HIGH) surfaced alongside per-environment compliance policy weighting, so the finding is routed to the correct team inbox inside each customer organization based on their configured severity thresholds and asset classifications.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available in HarborGuard the moment the fix version is confirmed upstream. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious video file over the network, so the victim's browser must be reachable or the victim must browse to an attacker-controlled resource.
AuthenticationNot required
No account or credential of any kind is needed; the attack works against any unauthenticated visitor who opens the crafted file.
Victim interactionRequired
The victim must open or play a crafted video file, making this a social-engineering attack that requires the attacker to lure the user to malicious content.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

The attacker writes arbitrary data outside the intended buffer in the Codecs component, which can corrupt heap memory used by the browser process.
With high confidentiality impact, the attacker reads in-memory content such as session tokens, saved credentials, and page data from the current browser context.
With high integrity impact, the attacker modifies in-process data structures, enabling code injection or manipulation of rendered page content.
With high availability impact, the attacker crashes the browser process or destabilizes it in a way that causes a denial of service for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11079 activates immediately on ingestion, and a patched-image rebuild at Chrome 149.0.7827.53 is made available as soon as the fix version is confirmed. For customers who opt into auto-remediation, the typical flow for HIGH-severity issues is a rebuild, regression run, and merged patch PR in around 90 minutes from CVE publication. Where compliance policy permits auto-remediation, HarborGuard opens the PR against every affected workload without manual intervention. Customers who manage patch deployment manually can retrieve the rebuilt image from their HarborGuard registry view and apply it through their existing change process.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available