How is CVE-2026-11146 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the vulnerable Chrome instance must be reachable or navigable to an attacker-controlled resource. Authentication (not-required): No account or credential is needed; the attacker only needs to direct the victim to a crafted page. Victim interaction (required): The victim must open or be redirected to a crafted HTML page, making social engineering or malicious-ad delivery a prerequisite. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the renderer-compromise prerequisite.

What is the impact of CVE-2026-11146?

An attacker who escapes the sandbox reads files, credentials, and session tokens accessible to the browser process on the host. The attacker writes or modifies files and data on the host filesystem outside the sandbox boundary. The attacker can crash or terminate host-level processes, disrupting availability of the affected system. Because the scope is changed (S:C), impact extends beyond the browser itself to other components sharing the host.

Back to search

CRITICALCVE-2026-11146Published 2026-06-04Modified 2026-06-06CNA Chrome

CVE-2026-11146: Insufficient validation of untrusted input in Chromoting in Google Chrome prior to 149

Insufficient validation of untrusted input in Chromoting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient input validation in the Chromoting component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox. The vulnerability is reachable over the network, requires no authentication, but does require the victim to interact with a crafted HTML page. Successful exploitation gives the attacker full read, write, and availability impact outside the sandbox boundary, effectively granting host-level code execution. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11146 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle or ship Chrome. Coverage extends to both registry scans and in-pipeline image checks at build time.

Available

Triage

HarborGuard scores this CVE at 9.6 CRITICAL (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to determine urgency and routing. Triage assignments are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available through HarborGuard once the fix version is confirmed in upstream feeds. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the vulnerable Chrome instance must be reachable or navigable to an attacker-controlled resource.
AuthenticationNot required
No account or credential is needed; the attacker only needs to direct the victim to a crafted page.
Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making social engineering or malicious-ad delivery a prerequisite.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the renderer-compromise prerequisite.

Blast Radius

An attacker who escapes the sandbox reads files, credentials, and session tokens accessible to the browser process on the host.
The attacker writes or modifies files and data on the host filesystem outside the sandbox boundary.
The attacker can crash or terminate host-level processes, disrupting availability of the affected system.
Because the scope is changed (S:C), impact extends beyond the browser itself to other components sharing the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11146 is active across customer environments and matched against any image containing an affected Chrome build below 149.0.7827.53. Given the CRITICAL severity (9.6), patched-image rebuilds at 149.0.7827.53 are prioritized in the remediation queue. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image, execute regression tests, and open a pull request against impacted workloads. The median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuild is staged and a triage ticket is routed to the designated owner for review and merge.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available