How is CVE-2026-11151 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, requiring the victim's browser to reach or be reached by the attacker-controlled content. Authentication (not-required): No account or credential is needed; the attack is launched from an unauthenticated remote position. Victim interaction (required): The victim must visit or be directed to a crafted HTML page, making social engineering or malicious ad delivery part of the attack chain. Attack complexity (info): Exploitation is high complexity because the attacker must first achieve a renderer process compromise before the sandbox escape becomes reachable.

What is the impact of CVE-2026-11151?

The attacker breaks out of the Chrome sandbox, gaining code execution at the privilege level of the browser process on the host. Confidential data accessible to the browser process, including stored credentials and session state, becomes readable by the attacker. The attacker can write to or modify files and system state accessible to the browser process on the host. The affected Chrome process and dependent services can be crashed or made unavailable.

Back to search

HIGHCVE-2026-11151Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11151: Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149

Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient input validation in the Password Manager component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The attack is reachable over the network, requires no authentication, but does need the victim to interact with a malicious page, and exploitation is complex due to the prerequisite renderer compromise. Successful exploitation gives the attacker full read, write, and availability impact on the affected system. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11151 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. Coverage extends to custom-built images that bundle Chrome or Chromium, not just upstream base images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each environment's compliance policy to surface it at the appropriate severity tier. Routing to the correct team inbox within each customer organization is available based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image version is detected. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run regression tests, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, requiring the victim's browser to reach or be reached by the attacker-controlled content.
AuthenticationNot required
No account or credential is needed; the attack is launched from an unauthenticated remote position.
Victim interactionRequired
The victim must visit or be directed to a crafted HTML page, making social engineering or malicious ad delivery part of the attack chain.
Attack complexityDetail
Exploitation is high complexity because the attacker must first achieve a renderer process compromise before the sandbox escape becomes reachable.

Blast Radius

The attacker breaks out of the Chrome sandbox, gaining code execution at the privilege level of the browser process on the host.
Confidential data accessible to the browser process, including stored credentials and session state, becomes readable by the attacker.
The attacker can write to or modify files and system state accessible to the browser process on the host.
The affected Chrome process and dependent services can be crashed or made unavailable.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome prior to 149.0.7827.53 are flagged automatically as affected versions are matched against the published CVE record. A rebuilt image at the fixed version (149.0.7827.53) is available for affected environments. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression test suite, and opens a PR against workloads referencing the affected image; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a recommended upgrade path are surfaced in the HarborGuard dashboard for engineer review. Given that exploitation requires a renderer compromise as a prerequisite, network-policy controls limiting outbound browser traffic and restricting which images bundle Chrome into production workloads are available as compensating controls for environments that cannot patch immediately.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available