HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11131Published Modified CNA Chrome

CVE-2026-11131: Use after free in Autofill in Google Chrome on Android prior to 149

Use after free in Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free in the Autofill component of Google Chrome for Android (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox by delivering a crafted HTML page. The vulnerability is reachable over the network, requires no authentication, but does require a victim to interact with attacker-controlled content. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact outside the sandbox boundary. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-11131 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android-targeted Chrome images, in both registry scans and active CI/CD pipelines. Any image packaging a Chrome for Android build prior to 149.0.7827.53 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.6 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage tickets or alerts are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's device must be reachable to or browsing content from an attacker-controlled origin.

  • AuthenticationNot required

    No account or credential is needed; the attack is launched through a page any unauthenticated user can visit.

  • Victim interactionRequired

    The victim must open or navigate to the attacker-crafted HTML page, making this a social-engineering or malicious-link delivery scenario.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors, though it does assume the renderer process has already been compromised as a prerequisite.

Blast Radius

  • An attacker who achieves sandbox escape reads arbitrary data from the device, including stored session tokens, saved passwords, and Autofill records held outside the Chrome sandbox.
  • The attacker gains the ability to write to the filesystem and modify application data or install persistent payloads on the Android device.
  • Full process availability outside the sandbox is compromised, allowing the attacker to crash or hang the host application and any dependent services.
  • The scope of impact extends beyond the Chrome renderer process itself to the broader Android system context, consistent with the CVSS Changed Scope rating.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical sandbox-escape is matched against customer images the moment the CVE record is ingested, covering both registry-resident images and images built inside CI/CD pipelines. For environments running Chrome for Android below 149.0.7827.53, a rebuilt image at the fixed version is available immediately. Where compliance policy permits auto-remediation, HarborGuard queues a rebuild at 149.0.7827.53, executes a regression run against the updated image, and opens a pull request against affected workloads; at critical severity, the median time from publication to a merged patch PR is approximately 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with full CVSS context and fix-version detail so engineering teams can act manually. Given the renderer-compromise prerequisite, teams may also consider network-policy controls that restrict which origins Chrome-based workloads can load, reducing the attack surface while a patched image is promoted through staging.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References