HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11114Published Modified CNA Chrome

CVE-2026-11114: Use after free in Device Trust in Google Chrome on Mac prior to 149

Use after free in Device Trust in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Device Trust component of Google Chrome on macOS affects all Chrome versions prior to 149.0.7827.53. The flaw is reachable over the network without authentication, but requires the attacker to have already compromised the renderer process and to lure a user into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, granting the attacker capabilities beyond the Chrome renderer sandbox including potential full code execution on the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome on macOS base layers. Any image carrying a Chrome version below 149.0.7827.53 on a Mac-targeted layer is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) and weights it further against each environment's compliance policy to determine urgency and routing. Triage output is delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment carrying an affected image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the user must browse to an attacker-controlled remote resource.

  • AuthenticationNot required

    No account or credential is needed; the attack is initiated by a user visiting a specially crafted page served by the attacker.

  • Victim interactionRequired

    A user must open or be redirected to the attacker-crafted HTML page, making social engineering or a malicious ad or link a prerequisite.

  • Attack complexityDetail

    Attack complexity is rated Low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout prerequisites beyond the renderer-compromise precondition.

Blast Radius

  • A successful attacker escapes the Chrome renderer sandbox on macOS, gaining execution context outside Chrome's process isolation boundary.
  • With sandbox escape achieved, the attacker reads files and credentials accessible to the user account running Chrome, including keychain-adjacent data on macOS.
  • The attacker writes or modifies files on the host filesystem within the permissions of the compromised user account.
  • The attacker disrupts or terminates host-level processes accessible to that user, potentially causing application or service failures on the affected machine.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image bundling Chrome below 149.0.7827.53 on a macOS-targeted layer. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs regression tests, and opens a PR against affected workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a prioritized alert are queued for reviewer action. Because this vulnerability requires a pre-compromised renderer process as a stepping stone, compensating controls such as strict Content Security Policy headers, network-policy rules that limit which origins Chrome-running containers may fetch from, and disabling unnecessary Chrome extensions in container builds can reduce the attack surface while a rebuild is in progress.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References