How is CVE-2026-11124 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing a victim to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No account or credential on the target system is needed; the attack is launched from an unauthenticated position. Victim interaction (required): The victim must visit a crafted HTML page, meaning the attacker must use phishing or another social-engineering vector to trigger the exploit. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-11124?

A successful attacker gains heap corruption primitives in the Chrome renderer process, enabling reads of in-memory data such as stored credentials, session tokens, or page content. Memory writes through the corrupted heap allow an attacker to modify browser state or inject code, potentially escalating to full renderer compromise. The affected process can be crashed on demand, killing the active browser tab or worker and disrupting the user session. Depending on sandbox escape primitives available at exploit time, compromise of the renderer can be chained toward code execution on the underlying host.

Back to search

HIGHCVE-2026-11124Published 2026-06-04Modified 2026-06-08CNA Chrome

CVE-2026-11124: Integer overflow in Skia in Google Chrome prior to 149

Integer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in Skia, the graphics rendering library embedded in Google Chrome, affects all Chrome versions prior to 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, but a user must visit a crafted HTML page for exploitation to succeed. Successful exploitation gives an attacker heap corruption primitives that enable reading sensitive data, modifying memory, or crashing the browser process, potentially leading to remote code execution. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium installation. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and weights the finding against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard once the fix version is confirmed in the upstream record. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a PR against the affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing a victim to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No account or credential on the target system is needed; the attack is launched from an unauthenticated position.
Victim interactionRequired
The victim must visit a crafted HTML page, meaning the attacker must use phishing or another social-engineering vector to trigger the exploit.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

A successful attacker gains heap corruption primitives in the Chrome renderer process, enabling reads of in-memory data such as stored credentials, session tokens, or page content.
Memory writes through the corrupted heap allow an attacker to modify browser state or inject code, potentially escalating to full renderer compromise.
The affected process can be crashed on demand, killing the active browser tab or worker and disrupting the user session.
Depending on sandbox escape primitives available at exploit time, compromise of the renderer can be chained toward code execution on the underlying host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11124 is active across all scanning pipelines, flagging any image that bundles Chrome below 149.0.7827.53. A patched-image rebuild targeting version 149.0.7827.53 is available for qualifying images. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes the configured regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a pre-populated PR are staged and held for reviewer sign-off. Because this vulnerability requires victim interaction via a crafted HTML page, organizations that restrict which Chrome-bundling images are exposed to external network traffic can reduce the attack surface while a rebuild is in progress.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available