CVE-2026-11136: Use after free in Canvas in Google Chrome prior to 149
Use after free in Canvas in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free in the Canvas component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a victim to a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though the victim must take an action such as visiting a malicious URL. Exploitation gives the attacker code execution within the Chrome sandbox, with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-11136 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.
AvailableHarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to route findings to the correct team inbox automatically.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable by directing the victim to an attacker-controlled URL.
- AuthenticationNot required
No credentials or account on any system are needed; the attack works against any unauthenticated browser session.
- Victim interactionRequired
The victim must visit a crafted HTML page, meaning the attacker must convince the user to click a link or otherwise navigate to the malicious content.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- The attacker executes arbitrary code within the Chrome renderer sandbox, gaining a foothold for further privilege escalation.
- With high confidentiality impact, the attacker can read in-browser data including session tokens, cookies, and page contents.
- With high integrity impact, the attacker can modify in-browser state, inject content into pages, or tamper with data processed by the renderer.
- With high availability impact, the attacker can crash the affected Chrome process or render it unresponsive.
How HarborGuard Handles This
Available on HarborGuard: any image that bundles Google Chrome below 149.0.7827.53 is flagged against this CVE immediately upon scan. Where a customer's compliance policy permits auto-remediation, HarborGuard rebuilds the image at the fixed version (149.0.7827.53), runs a regression test suite against the rebuilt image, and opens a PR against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments that manage patching manually, HarborGuard surfaces the finding with the fix version pinned so engineers can act without additional research.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H