How is CVE-2026-11149 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page from a remotely accessible host. Authentication (not-required): No account or credential is needed; the attacker operates without any authentication to the target system. Victim interaction (required): The victim must visit or be directed to the attacker-controlled HTML page, making this a social-engineering-dependent attack. Attack complexity (info): Exploitation is rated high complexity because it requires the attacker to have already compromised the renderer process before the privilege escalation step can occur.

What is the impact of CVE-2026-11149?

A successful attacker gains elevated privileges beyond the Chrome renderer sandbox, allowing reads of data that the renderer should not be able to access, such as session tokens or locally stored credentials. The attacker can write or modify data accessible at the escalated privilege level, including extension state and browser-managed storage. The attacker can cause disruption or crashes at the elevated privilege level, affecting browser stability and any workload running within that browser context.

Back to search

HIGHCVE-2026-11149Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11149: Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An insufficient input validation vulnerability in the Extensions component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escalate privileges by serving a crafted HTML page. The attack requires no authentication but does involve a user visiting a malicious page, and it depends on the attacker having first gained a foothold in the renderer. Successful exploitation gives the attacker elevated access beyond normal renderer sandbox limits, enabling reads, writes, and disruption across affected components. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11149 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome runtime.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the recorded CVSS v3.1 vector, and triage is available with per-environment compliance policy weighting to adjust priority based on whether Chrome or Chromium is part of a container's runtime. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remotely accessible host.
AuthenticationNot required
No account or credential is needed; the attacker operates without any authentication to the target system.
Victim interactionRequired
The victim must visit or be directed to the attacker-controlled HTML page, making this a social-engineering-dependent attack.
Attack complexityDetail
Exploitation is rated high complexity because it requires the attacker to have already compromised the renderer process before the privilege escalation step can occur.

Blast Radius

A successful attacker gains elevated privileges beyond the Chrome renderer sandbox, allowing reads of data that the renderer should not be able to access, such as session tokens or locally stored credentials.
The attacker can write or modify data accessible at the escalated privilege level, including extension state and browser-managed storage.
The attacker can cause disruption or crashes at the elevated privilege level, affecting browser stability and any workload running within that browser context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11149 fires against any image that packages a Chrome or Chromium binary older than 149.0.7827.53, covering both registry snapshots and images built inline in CI pipelines. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at the patched version, runs regression tests, and opens a pull request against the affected workload; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual sign-off, the finding is queued in the appropriate team inbox with the CVSS score, affected image list, and the available fix version so reviewers have full context before approving the rebuild.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available