How is CVE-2026-11095 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page, making internet or intranet exposure a prerequisite. Authentication (not-required): No account credentials or prior authentication are needed to deliver the malicious page to the victim. Victim interaction (required): The victim must visit or be directed to the attacker-controlled HTML page, requiring a social engineering or phishing step. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout, though it does assume the renderer process has already been compromised as a prerequisite step.

What is the impact of CVE-2026-11095?

Attacker escapes the Chrome sandbox and gains code execution in the context of the host process, breaking the browser's primary isolation boundary. Confidential data accessible to the browser user, including stored credentials, session tokens, and local files, becomes readable outside the sandbox. The attacker can write to or modify files and system state that the sandboxed renderer would normally be forbidden from touching. The host process or dependent services can be crashed or destabilized, causing denial of service on the affected system.

Back to search

CRITICALCVE-2026-11095Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11095: Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149

Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the Codecs component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network with no authentication required, but it does require a victim to interact with a crafted HTML page, and it assumes the attacker has already compromised the renderer process. Successful exploitation enables a full sandbox escape, giving the attacker the ability to read sensitive data, tamper with files, and disrupt services outside the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11095 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium runtime. Coverage applies to both registry scans and active pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 rating of 9.6 (Critical) and weighting it against each customer environment's compliance policy to prioritize alert routing. Triage signals are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page, making internet or intranet exposure a prerequisite.
AuthenticationNot required
No account credentials or prior authentication are needed to deliver the malicious page to the victim.
Victim interactionRequired
The victim must visit or be directed to the attacker-controlled HTML page, requiring a social engineering or phishing step.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout, though it does assume the renderer process has already been compromised as a prerequisite step.

Blast Radius

Attacker escapes the Chrome sandbox and gains code execution in the context of the host process, breaking the browser's primary isolation boundary.
Confidential data accessible to the browser user, including stored credentials, session tokens, and local files, becomes readable outside the sandbox.
The attacker can write to or modify files and system state that the sandboxed renderer would normally be forbidden from touching.
The host process or dependent services can be crashed or destabilized, causing denial of service on the affected system.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11095 is active across all scanning environments, matching any image that bundles a Chrome or Chromium binary below version 149.0.7827.53. Given the Critical CVSS score of 9.6 and the sandbox-escape impact, this CVE is weighted at the top of the triage queue under default compliance policies. A patched-image rebuild targeting Chrome 149.0.7827.53 is available for affected environments. For customers who have opted into auto-remediation, HarborGuard is capable of rebuilding the affected image, executing a regression test run, and opening a pull request against the affected workload; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers who manage their own remediation cadence can retrieve the rebuild from the HarborGuard registry and apply it on their own schedule.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available