CVE-2026-11152: Object lifecycle issue in Dawn in Google Chrome prior to 149

Synopsis

A use-after-free (object lifecycle) vulnerability in Dawn, the WebGPU backend used by Google Chrome, affects all Chrome releases before 149.0.7827.53. The flaw is reachable over the network without authentication, but requires the victim to visit a crafted HTML page. Successful exploitation lets a remote attacker escape Chrome's sandbox, gaining code execution or full access to data and processes outside the browser's isolated environment. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker delivers the exploit over the network by luring the victim to a crafted HTML page, so the Chrome instance must be reachable or browsing-capable from an internet-connected context.

• AuthenticationNot required

  No account, session token, or credential of any kind is required; the exploit is delivered entirely through a web page visited by the victim.

• Victim interactionRequired

  The victim must open or be redirected to a specially crafted HTML page, making this a social-engineering or drive-by-delivery scenario.

• Attack complexityDetail

  Attack complexity is Low, meaning the exploit is reliable and requires no special race condition, memory layout dependency, or other environmental precondition beyond the victim visiting the page.

Blast Radius

• The attacker escapes Chrome's sandbox, breaking the primary isolation boundary between web content and the host operating system.
• With sandbox escape achieved, the attacker reads files, credentials, and session tokens accessible to the user running Chrome.
• The attacker can write or modify files and data on the host, including persisted application state and configuration.
• The attacker gains the ability to crash, terminate, or take over processes on the host outside the browser context.