HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11120Published Modified CNA Chrome

CVE-2026-11120: Insufficient validation of untrusted input in Enterprise Reporting in Google Chrome prior to 149

Insufficient validation of untrusted input in Enterprise Reporting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the Enterprise Reporting component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The attack is reachable over the network and requires no authentication, though it does require the victim to visit or interact with a malicious page. Successful exploitation gives the attacker code execution outside the browser sandbox, effectively escaping Chrome's primary security boundary. A patched-image rebuild at 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11120 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome or Chromium. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically as affected.

Available
Triage

Triage is available at CVSS 9.6 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), surfaced against each customer environment's compliance policy weighting and routed to the appropriate team inbox within that organization.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target service or user must be reachable from the attacker's position on the internet.

  • AuthenticationNot required

    No account or credentials are needed; any unauthenticated user who can be directed to a malicious page is a viable target.

  • Victim interactionRequired

    The victim must visit or otherwise load the attacker-controlled HTML page, making this a social-engineering or malicious-redirect scenario.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors, though it does assume the renderer process has already been compromised.

Blast Radius

  • The attacker escapes the Chrome browser sandbox, gaining code execution in the context of the host process outside the renderer's security boundary.
  • With sandbox escape achieved, the attacker reads files, credentials, and session data accessible to the user running Chrome on the host.
  • The attacker writes or modifies files on the host filesystem and can persist malicious code across reboots.
  • The attacker can crash or destabilize the host-level Chrome process and any dependent services, causing a denial of service.

How HarborGuard Handles This

Available on HarborGuard: any container image bundling Google Chrome below 149.0.7827.53 is flagged as critically vulnerable upon ingestion of this advisory, with no manual scan trigger required. Where compliance policy permits, a rebuilt image pinned to 149.0.7827.53 is generated automatically; customers with auto-remediation enabled receive the rebuilt image, a regression-test run, and a pull request opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues. For environments where auto-remediation is not enabled, the finding appears in the HarborGuard dashboard with the fix version clearly indicated so teams can act manually. Given the sandbox-escape nature of this vulnerability and its Critical CVSS score of 9.6, teams without auto-remediation should treat this as a priority upgrade. Compensating controls to consider in the interim include restricting network egress from containers running Chrome, applying strict Content Security Policy headers to limit renderer exposure, and disabling or gating Enterprise Reporting features via Chrome policy flags where operationally feasible.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References