CVE-2026-11111: Out of bounds read in ANGLE in Google Chrome prior to 149
Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds read vulnerability exists in ANGLE, the graphics abstraction layer used by Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network without authentication, but requires a user to visit a crafted HTML page. Successful exploitation reads memory outside intended bounds, disclosing sensitive in-process data and crashing the affected renderer. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-11111 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI pipelines, including custom-built images that bundle a Chrome or Chromium runtime.
AvailableHarborGuard scores this CVE at CVSS 8.1 (HIGH) and can weight that score against each environment's compliance policy to prioritize it appropriately; routing to the relevant team inbox within each customer organization is available as part of the standard triage workflow.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the targeted Chrome instance must be reachable or browsing to attacker-controlled content over the internet or an internal network.
- AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker can serve the malicious page.
- Victim interactionRequired
The targeted user must visit the attacker-crafted HTML page, making this a social-engineering or malicious-link scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.
Blast Radius
- Reads memory outside the intended buffer inside the Chrome renderer process, potentially exposing in-process data such as decoded image content, DOM data, or other renderer-resident values.
- Causes a high-severity availability impact, crashing the affected renderer or tab and disrupting the user's session.
- No write or modification capability is indicated by the CVSS vector, so database rows, files, and persisted state are not directly tampered with by this exploit.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-11111 is active against all scanned images the moment the CVE enters upstream feeds. For environments where an image bundles a Chrome or Chromium binary older than 149.0.7827.53, a rebuilt image at the fixed version is available. For customers with auto-remediation enabled, HarborGuard performs the image rebuild, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual sign-off before merging, the PR and supporting test results are staged and waiting for reviewer action.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H