HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11102Published Modified CNA Chrome

CVE-2026-11102: Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 149

Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium)

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An inappropriate implementation flaw in the Isolated Web Apps subsystem of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to execute arbitrary code inside the browser sandbox. The attack is reachable over the network and requires no authentication, but the victim must interact with a malicious file, such as opening or downloading attacker-controlled content. Successful exploitation gives the attacker code execution within the sandbox context, with full impact on confidentiality, integrity, and availability of the affected process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11102 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium binary. Any image whose installed Chrome version falls below 149.0.7827.53 will be flagged automatically in registry scans and CI pipeline checks.

Available
Triage

Triage is available with the CVSS 3.1 score of 8.8 (HIGH) applied immediately on match, weighted further by each customer organization's compliance policy to prioritize alerts appropriately. Findings are routed to the correct team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard as soon as the fix version is confirmed against the affected image layer. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the malicious file over the network, so the targeted Chrome instance must be reachable or the user must browse to an attacker-controlled resource.

  • AuthenticationNot required

    No account or credential of any kind is needed; any unauthenticated remote attacker can attempt the exploit.

  • Victim interactionRequired

    The victim must interact with a malicious file, for example by opening or downloading attacker-supplied content, making this a social-engineering-dependent attack.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond victim interaction.

Blast Radius

  • Reads sensitive data accessible within the Chrome sandbox process, including stored session state and locally cached content.
  • Modifies data and state within the sandboxed process, potentially altering rendered content or injecting behavior into the Isolated Web App context.
  • Crashes or destabilizes the sandboxed renderer process, disrupting the availability of the affected Isolated Web App.
  • Provides a foothold inside the sandbox that could be chained with a sandbox-escape vulnerability to reach the underlying host.

How HarborGuard Handles This

Available on HarborGuard: any image containing a Chrome binary below version 149.0.7827.53 is flagged within minutes of CVE publication, covering both upstream base images and custom-built images. For customers who opt into auto-remediation, HarborGuard generates a rebuilt image at the patched version, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is surfaced in the triage queue with the full CVSS 8.8 HIGH score and remediation guidance so the responsible team can act immediately. Customers who cannot update immediately should consider network-policy controls that restrict which users or services can load untrusted external content inside Chrome-based Isolated Web Apps as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References