How is CVE-2026-11086 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target must be reachable via a browser making outbound network requests. Authentication (not-required): No account or credential is needed to serve the malicious page to the victim. Victim interaction (required): The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Exploiting the Dawn flaw itself is condition-free once renderer access is established, though chaining a renderer compromise as a prerequisite adds real-world complexity.

What is the impact of CVE-2026-11086?

The attacker executes arbitrary code inside the Chrome sandbox, breaking the isolation boundary between the renderer and the rest of the host. With sandbox escape achieved, the attacker can read files and credentials accessible to the browser process on the host system. The attacker can write or modify data reachable by the browser process, including local storage, cached credentials, and profile data. The attacker can crash or destabilize the browser process, causing a denial of service for the affected user session.

Back to search

HIGHCVE-2026-11086Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11086: Inappropriate implementation in Dawn in Google Chrome prior to 149

Inappropriate implementation in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in the Dawn graphics component of Google Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but the attacker must first compromise the renderer process (for example, via a separate exploit) and then trick a user into visiting a crafted HTML page. Successful exploitation lets the attacker execute arbitrary code inside the browser sandbox, bypassing the isolation boundary meant to contain renderer-level compromises. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing, directing alerts to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, the platform triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target must be reachable via a browser making outbound network requests.
AuthenticationNot required
No account or credential is needed to serve the malicious page to the victim.
Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Exploiting the Dawn flaw itself is condition-free once renderer access is established, though chaining a renderer compromise as a prerequisite adds real-world complexity.

Blast Radius

The attacker executes arbitrary code inside the Chrome sandbox, breaking the isolation boundary between the renderer and the rest of the host.
With sandbox escape achieved, the attacker can read files and credentials accessible to the browser process on the host system.
The attacker can write or modify data reachable by the browser process, including local storage, cached credentials, and profile data.
The attacker can crash or destabilize the browser process, causing a denial of service for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11086 is active across all connected registries and pipelines, matching any image that packages a Chrome or Chromium binary below version 149.0.7827.53. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at the patched version, runs a regression test suite against the new image, and opens a pull request against affected workloads. For high-severity findings, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, the finding is routed to the designated team inbox with full CVSS context and fix-version detail so engineers can act manually. Until a rebuild is deployed, network policy controls that restrict which container workloads can load arbitrary external URLs serve as a useful compensating control for reducing exposure.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available