How is CVE-2026-11080 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No account or credentials on the target system are needed; any anonymous remote attacker can attempt the exploit. Victim interaction (required): The victim must open or be redirected to a crafted HTML page, making social engineering or a malicious link a necessary part of the attack chain. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-11080?

A successful attacker reads in-process memory, which may include session tokens, cookies, and other credential material stored in the browser. The attacker can modify heap data within the Chrome process, enabling tampering with page content, cached responses, or persisted application state. The vulnerability can be used to crash the Chrome WebView process, causing a denial of service for any Android application that embeds WebView. Given the combination of high confidentiality, integrity, and availability impact, the exploit may serve as a stepping stone toward full remote code execution within the application sandbox.

Back to search

HIGHCVE-2026-11080Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11080: Use after free in WebView in Google Chrome on Android prior to 149

Use after free in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability affects the WebView component in Google Chrome on Android prior to version 149.0.7827.53. The flaw is reachable over the network without any authentication, but requires a victim to visit a crafted HTML page. Successful exploitation corrupts heap memory, giving an attacker the ability to read sensitive data, modify application state, or crash the browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11080 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built Android images that bundle a Chrome WebView component. Coverage extends to both registry scans and active CI/CD pipeline checks.

Available

Triage

Triage is available using the CVSS v3.1 score of 8.8 (HIGH), with per-environment compliance policy weighting applied to prioritize the finding relative to other open issues. Routing to the appropriate team inbox within each customer organization is handled automatically based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 becomes available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No account or credentials on the target system are needed; any anonymous remote attacker can attempt the exploit.
Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making social engineering or a malicious link a necessary part of the attack chain.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

A successful attacker reads in-process memory, which may include session tokens, cookies, and other credential material stored in the browser.
The attacker can modify heap data within the Chrome process, enabling tampering with page content, cached responses, or persisted application state.
The vulnerability can be used to crash the Chrome WebView process, causing a denial of service for any Android application that embeds WebView.
Given the combination of high confidentiality, integrity, and availability impact, the exploit may serve as a stepping stone toward full remote code execution within the application sandbox.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome on Android are scanned against CVE-2026-11080 immediately upon ingestion, and any image pinned to a version below 149.0.7827.53 is flagged as affected. A rebuilt image at the fixed version is made available for those environments. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval before patching, the finding is routed to the configured owner inbox with full CVSS context attached. Customers who cannot immediately upgrade should consider restricting WebView-based features through application-level feature flags and applying network-policy controls that limit the origins WebView components are permitted to load.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available