HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11112Published Modified CNA Chrome

CVE-2026-11112: Insufficient validation of untrusted input in Chromoting in Google Chrome on Linux prior to 149

Insufficient validation of untrusted input in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the Chromoting component of Google Chrome on Linux (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted Chrome Extension. The attack is reachable over the network and requires the victim to interact with attacker-controlled content, but no authentication is needed. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact outside the sandbox boundary. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11112 is available across every HarborGuard environment, with the CVE matched against customer images (including custom-built Linux images that bundle Chrome) within minutes of upstream feed publication. Any image whose Chrome version falls below 149.0.7827.53 is flagged automatically during registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and weights it further against each customer environment's compliance policy, escalating it appropriately given the sandbox-escape impact and scope change. Triage findings are routed to the team or inbox configured within each customer org based on their alert-routing rules.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network, as the CVSS vector specifies AV:N (network-adjacent or internet-exposed Chrome sessions are in scope).

  • AuthenticationNot required

    No credentials or account are needed; the attacker operates as an unauthenticated remote party prior to renderer compromise.

  • Victim interactionRequired

    The victim must interact with attacker-controlled content (for example, visiting a malicious page or installing a crafted Chrome Extension), making this a social-engineering-dependent exploit path.

  • Attack complexityDetail

    Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors once the renderer is compromised.

Blast Radius

  • A successful attacker escapes the Chrome sandbox entirely, gaining code execution in the context of the host Linux user running Chrome.
  • Confidential data accessible to that user (session tokens, credentials, files, environment variables) is readable by the attacker.
  • The attacker can write to or modify files and system state owned by the Linux user, including persistent configuration and application data.
  • The attacker can crash, hang, or otherwise disrupt the Chrome process and any dependent services or workflows running under that user account.

How HarborGuard Handles This

Available on HarborGuard: any container image shipping Google Chrome on Linux below version 149.0.7827.53 is detected as affected within minutes of the CVE entering upstream feeds, including images built internally by customer teams. For customers with auto-remediation enabled, HarborGuard rebuilds the image at Chrome 149.0.7827.53, executes a regression run, and opens a PR against affected workloads; for critical-severity issues, the median time from publication to merged patch PR is approximately 90 minutes. Where compliance policy or change-control requirements prevent auto-remediation, HarborGuard surfaces the finding with full CVSS context and fix-version details so that engineering teams can act manually. Given the sandbox-escape severity and the requirement for prior renderer compromise, customers who cannot patch immediately may consider restricting Chrome Extension installation via policy, isolating affected workloads behind network policy controls that limit attacker-reachable surfaces, and monitoring for unusual child-process activity spawned from Chrome on affected hosts.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References