How is CVE-2026-11118 exploited?

Network reachability (required): The attacker delivers the exploit over the network by serving a crafted HTML page, so the victim's browser must be able to reach attacker-controlled web content. Authentication (not-required): No authentication is needed; the attacker requires only that the victim navigates to a page the attacker controls. Victim interaction (required): The victim must visit or be redirected to the crafted HTML page, making this a social-engineering or malicious-ad delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions or race-condition requirements on the attacker.

What is the impact of CVE-2026-11118?

The attacker executes arbitrary code inside Chrome's renderer sandbox, gaining full control of the sandboxed process. Confidential data processed by the renderer, including page content, stored credentials surfaced by autofill, and session tokens, is readable by the attacker. The attacker can tamper with page content and any data the renderer writes, enabling manipulation of in-flight requests or displayed information. The compromised renderer process can be crashed or held hostage, disrupting the user's browsing session and any web application running in that context.

Back to search

HIGHCVE-2026-11118Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11118: Use after free in WebRTC in Google Chrome prior to 149

Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the WebRTC component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network without any authentication, but requires the victim to visit a crafted HTML page the attacker controls. Successful exploitation allows the attacker to execute arbitrary code inside Chrome's renderer sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium runtime. Any image carrying a Chrome version below 149.0.7827.53 will surface as affected in the customer's registry and CI pipeline scan results.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH per CVSS v3.1 and can weight that score against each customer environment's compliance policy, escalating findings to the appropriate team inbox based on policy-defined severity thresholds and asset criticality.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment whose scanned images include an affected Chrome version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by serving a crafted HTML page, so the victim's browser must be able to reach attacker-controlled web content.
AuthenticationNot required
No authentication is needed; the attacker requires only that the victim navigates to a page the attacker controls.
Victim interactionRequired
The victim must visit or be redirected to the crafted HTML page, making this a social-engineering or malicious-ad delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions or race-condition requirements on the attacker.

Blast Radius

The attacker executes arbitrary code inside Chrome's renderer sandbox, gaining full control of the sandboxed process.
Confidential data processed by the renderer, including page content, stored credentials surfaced by autofill, and session tokens, is readable by the attacker.
The attacker can tamper with page content and any data the renderer writes, enabling manipulation of in-flight requests or displayed information.
The compromised renderer process can be crashed or held hostage, disrupting the user's browsing session and any web application running in that context.

How HarborGuard Handles This

Available on HarborGuard: any image embedding Google Chrome below 149.0.7827.53 is flagged at ingest, with findings routed according to each customer's compliance policy. Where auto-remediation is enabled, HarborGuard rebuilds the image at the fixed version (149.0.7827.53), runs the configured regression suite, and opens a pull request against affected workloads. For high-severity CVEs, the median time from publication to a merged patch PR in auto-remediation environments is around 90 minutes. Customers who have not enabled auto-remediation can review the flagged finding in their HarborGuard dashboard and trigger a manual rebuild from the CVE detail page. Until a rebuild is deployed, consider restricting container workloads that bundle Chrome from accessing untrusted external URLs, and review egress network policies to limit the pages those containers can reach.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available