HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11094Published Modified CNA Chrome

CVE-2026-11094: Use after free in Codecs in Google Chrome on Windows prior to 149

Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Codecs component of Google Chrome on Windows in versions prior to 149.0.7827.53. The flaw is reachable over the network with no authentication required, but the attacker must convince a user to visit a crafted HTML page and must have already compromised the Chrome renderer process. Successful exploitation enables a sandbox escape, giving the attacker code execution outside the browser sandbox with full confidentiality, integrity, and availability impact on the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or distribute Chrome on Windows base layers. Any image carrying a Chrome version below 149.0.7827.53 is flagged immediately.

Available
Triage

HarborGuard is capable of scoring this CVE at its full CVSS 3.1 critical severity (9.6) and weighting it against each customer environment's compliance policy to prioritize routing. Triage notifications are delivered to the appropriate team inbox inside each customer organization based on configured ownership rules.

Available
Patch

For customers running an affected Chrome version, a patched-image rebuild at 149.0.7827.53 becomes available on HarborGuard as soon as the upstream package is resolvable. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled or compromised site.

  • AuthenticationNot required

    No account credentials or prior authentication are needed; any user who visits the malicious page is a valid target.

  • Victim interactionRequired

    The victim must actively open or be redirected to the crafted HTML page, making this a social-engineering or drive-by delivery scenario.

  • Attack complexityDetail

    Attack complexity is rated Low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout; however, a prerequisite renderer compromise is required before the sandbox escape is possible.

Blast Radius

  • An attacker who triggers the sandbox escape gains code execution outside the Chrome sandbox on the affected Windows host.
  • With sandbox containment broken, the attacker can read files, credentials, and session tokens accessible to the browser process user account.
  • The attacker can write or modify files on the host, install persistent malware, or alter application data.
  • The attacker can crash or terminate the browser process and, depending on post-exploitation steps, disrupt other host services.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical use-after-free is active across all connected registries and CI pipelines, matching any image that ships Chrome below 149.0.7827.53. For environments where images bundle Chrome on Windows base layers, a rebuilt image at the fixed version (149.0.7827.53) is available for generation as soon as the upstream package resolves. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, execute a regression test run against the updated image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Given the renderer-compromise prerequisite, teams should also review whether workloads expose Chrome to untrusted HTML input and consider network-policy controls that limit outbound renderer connections as a compensating control while rollout proceeds.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References