How is CVE-2026-11115 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable component. Authentication (required): Any low-privilege local account is sufficient; no administrative rights are needed to initiate the exploit. Victim interaction (required): A user on the target system must interact with a malicious file, introducing a social-engineering step for the attacker. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific environmental layout.

What is the impact of CVE-2026-11115?

The attacker reads sensitive data accessible to the escalated OS-level privilege context, including credentials, session material, and protected files. The attacker modifies or overwrites OS-level files, registry entries, or security configurations on the Windows host. The attacker installs persistent malware or scheduled tasks under a higher-privilege account, surviving reboots and user logouts. The attacker disrupts or terminates protected system processes, causing service outages beyond the Chrome browser itself.

Back to search

HIGHCVE-2026-11115Published 2026-06-04Modified 2026-06-06CNA Chrome

CVE-2026-11115: Use after free in Updater in Google Chrome on Windows prior to 149

Use after free in Updater in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Updater component of Google Chrome on Windows in versions prior to 149.0.7827.53. The flaw is reachable locally by an authenticated low-privilege user who can place or interact with a malicious file, with no network access required. Successful exploitation grants the attacker OS-level privilege escalation, potentially giving full control over the underlying host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11115 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome installation.

Available

Triage

HarborGuard scores this issue at CVSS 7.3 (High) and is capable of weighting that score against each environment's compliance policy to prioritize alert routing. Triage tickets can be directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable component.
AuthenticationRequired
Any low-privilege local account is sufficient; no administrative rights are needed to initiate the exploit.
Victim interactionRequired
A user on the target system must interact with a malicious file, introducing a social-engineering step for the attacker.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific environmental layout.

Blast Radius

The attacker reads sensitive data accessible to the escalated OS-level privilege context, including credentials, session material, and protected files.
The attacker modifies or overwrites OS-level files, registry entries, or security configurations on the Windows host.
The attacker installs persistent malware or scheduled tasks under a higher-privilege account, surviving reboots and user logouts.
The attacker disrupts or terminates protected system processes, causing service outages beyond the Chrome browser itself.

How HarborGuard Handles This

Available on HarborGuard: once CVE-2026-11115 is matched against a customer image, a rebuild at Chrome 149.0.7827.53 is queued and made available for deployment. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes the configured regression-test suite, and opens a pull request against affected workloads; for High-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS context and fix-version detail so engineering teams can act manually. Because the exploit requires local access and victim file interaction, teams may also consider restricting which users can place executable or script files in directories accessible to the Chrome Updater process as a compensating control while rollout is in progress.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available