HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11119Published Modified CNA Chrome

CVE-2026-11119: Inappropriate implementation in GPU in Google Chrome on Android prior to 149

Inappropriate implementation in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in the GPU implementation of Google Chrome for Android in versions prior to 149.0.7827.53. The flaw is reachable over the network and requires no prior authentication, though it does require a victim to visit a crafted HTML page; additionally, an attacker must have already compromised the renderer process as a prerequisite. Successful exploitation allows a remote attacker to break out of Chrome's sandbox, gaining the ability to read, modify, and disrupt data and processes beyond the browser's intended isolation boundary. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Android-based container images that bundle Chrome. Scans cover both freshly built images and images already at rest in customer registries.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.6 (Critical) and weighting it against each environment's compliance policy to reflect organizational risk tolerance. Routing rules can direct the finding to the appropriate team inbox within each customer organization for immediate review.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's device must be reachable through a browser session exposed to remote content.

  • AuthenticationNot required

    No account or credential is needed; the attack is launched from an unauthenticated web context.

  • Victim interactionRequired

    The victim must navigate to or be redirected to a crafted HTML page, requiring a social-engineering or malicious-ad delivery step.

  • Attack complexityDetail

    The exploit is condition-free at the network delivery layer, though a separate renderer-process compromise must already be in place before the sandbox escape can be triggered.

Blast Radius

  • A successful attacker reads data outside the Chrome sandbox, including stored credentials, session tokens, and files accessible to the browser process.
  • The attacker modifies data or injects code into processes that run outside the sandboxed renderer, including other app contexts on the device.
  • The attacker disrupts or crashes services and processes beyond the browser, up to and including the host application layer on the Android device.
  • Because the scope change token (S:C) is set, impact extends beyond the vulnerable component itself, affecting other security domains on the same device.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11119 is active across connected registries and pipelines, matching any image that bundles a Chrome for Android binary older than 149.0.7827.53. Given the Critical severity (CVSS 9.6), this CVE is prioritized at the top of the finding queue. A patched-image rebuild at 149.0.7827.53 is available; for customers who opt into auto-remediation, HarborGuard rebuilds the affected image, executes the configured regression tests, and opens a pull request against the affected workload, with a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated owner inbox with full CVSS context and fix-version detail attached.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References