CVE-2026-11125: Use after free in Compositing in Google Chrome prior to 149
Use after free in Compositing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Compositing component of Google Chrome allows a remote attacker to execute arbitrary code inside the browser sandbox. The attacker must reach the victim over the network, but no authentication is required; the victim must visit a crafted HTML page. Successful exploitation gives the attacker code execution within the Chrome sandbox, which can be a stepping stone to further privilege escalation. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard scores this finding at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by luring the victim to a crafted page; the Chrome process must be reachable in the sense that the victim's browser fetches attacker-controlled content.
- AuthenticationNot required
No account or credential is needed; any unauthenticated remote party can serve the malicious HTML page.
- Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, making this a social-engineering-dependent exploit.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.
Blast Radius
- Attacker executes arbitrary code inside the Chrome renderer sandbox on the victim's host.
- Attacker reads in-browser data such as session cookies, saved credentials, and page content (high confidentiality impact).
- Attacker modifies in-browser state, including DOM content and stored site data (high integrity impact).
- Attacker can crash or hang the affected Chrome process, denying the user access to the browser (high availability impact).
How HarborGuard Handles This
Available on HarborGuard: any image that packages a Chrome or Chromium binary below version 149.0.7827.53 is flagged at HIGH severity and queued for a patched rebuild pinned to 149.0.7827.53. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs a regression test, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding appears in the HarborGuard dashboard with the fix version noted and awaits manual approval before the rebuild is promoted.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H