CVE-2026-11117: Use after free in Views in Google Chrome on Windows prior to 149
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Views component of Google Chrome on Windows in versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation gives an attacker remote code execution on the victim's machine. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-11117 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome runtime.
AvailableTriage is available with a CVSS score of 8.8 (HIGH) applied automatically, weighted against each customer environment's compliance policy to determine urgency, and routed to the appropriate team inbox within the customer org.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a remote crafted HTML page, so the service must be reachable from the internet or an accessible network.
- AuthenticationNot required
No account or credential is needed on the target system; the attack is launched entirely through the browser by an unauthenticated remote attacker.
- Victim interactionRequired
The victim must visit a crafted HTML page, meaning the attacker must persuade them to click a link or otherwise navigate to attacker-controlled content.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental factors.
Blast Radius
- A successful attacker gains arbitrary code execution in the context of the Chrome renderer process on the victim's Windows host.
- With code execution, the attacker can read files and stored browser data accessible to the running Chrome process, including session cookies and saved credentials.
- The attacker can write or modify files on the local filesystem within the permissions of the browser process user.
- The attacker can crash or destabilize the browser process, disrupting the victim's session.
How HarborGuard Handles This
Available on HarborGuard: any image containing Google Chrome prior to 149.0.7827.53 on Windows is flagged at CVSS 8.8 (HIGH) and a rebuild pinned to the fixed version is queued automatically. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a summary of findings are staged in the customer's remediation queue pending review.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H