How is CVE-2026-11091 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable through normal browser web traffic. Authentication (not-required): No account or credential is needed; any unauthenticated remote attacker can serve the malicious page. Victim interaction (required): The victim must visit or be redirected to the attacker-controlled HTML page, making social engineering or a malicious ad/link the necessary delivery mechanism. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-11091?

Reads process memory contents, which may include session tokens, credentials, or locally cached user data rendered by the browser. Writes to out-of-bounds memory regions, enabling modification of browser state or injected code execution within the Chrome renderer process. Crashes the affected Chrome process, causing loss of the current browsing session and any unsaved in-page state. Combined high confidentiality, integrity, and availability impact means a successful exploit can chain memory reads and writes into full renderer compromise.

Back to search

HIGHCVE-2026-11091Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11091: Inappropriate implementation in Dawn in Google Chrome prior to 149

Inappropriate implementation in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds memory access vulnerability exists in Dawn, the WebGPU graphics backend used by Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require a victim to visit or be redirected to a crafted HTML page. Successful exploitation gives an attacker read and write access to process memory as well as the ability to crash the browser, enabling data theft, content tampering, or remote code execution. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected Chrome version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium installation. Any image shipping a Chrome version earlier than 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 (High) and weights it against each environment's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable through normal browser web traffic.
AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker can serve the malicious page.
Victim interactionRequired
The victim must visit or be redirected to the attacker-controlled HTML page, making social engineering or a malicious ad/link the necessary delivery mechanism.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Reads process memory contents, which may include session tokens, credentials, or locally cached user data rendered by the browser.
Writes to out-of-bounds memory regions, enabling modification of browser state or injected code execution within the Chrome renderer process.
Crashes the affected Chrome process, causing loss of the current browsing session and any unsaved in-page state.
Combined high confidentiality, integrity, and availability impact means a successful exploit can chain memory reads and writes into full renderer compromise.

How HarborGuard Handles This

Available on HarborGuard: any image containing Google Chrome earlier than 149.0.7827.53 is matched against this CVE within minutes of the advisory entering upstream feeds, including custom images built on top of base images that ship Chrome. Where compliance policy permits, a rebuilt image at the patched version is staged automatically. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers who manage patching manually will see the finding flagged at High severity in their dashboard with the fix version noted, so the upgrade target is unambiguous.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available