CVE-2026-11153: Side-channel information leakage in Forms in Google Chrome prior to 149
Side-channel information leakage in Forms in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A side-channel information leakage vulnerability affects the Forms component in Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network with no authentication or user interaction required, allowing a remote attacker to serve a crafted HTML page that triggers cross-origin data exposure. Successful exploitation lets an attacker read data from other origins and tamper with it, violating both confidentiality and integrity. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-11153 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle a vulnerable Chrome version. Matching runs against images in both customer registries and active CI/CD pipelines.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.1 (Critical) and weighting that score against each environment's compliance policy to determine response priority. Triage routing can direct findings to the appropriate team or inbox within each customer organization based on configured policy.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing a target browser to a crafted HTML page hosted remotely.
- AuthenticationNot required
No account or credential is needed; any unauthenticated remote party can serve the malicious page.
- Victim interactionNot required
No user action beyond normal browsing is required to trigger the side-channel leakage.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental setup required.
Blast Radius
- An attacker reads cross-origin data from other web origins loaded in the same browser session, including cookies, tokens, or page content that the same-origin policy is meant to protect.
- An attacker modifies cross-origin data reachable through the Forms component, allowing unauthorized writes or injections into protected contexts.
- The combined confidentiality and integrity impact means session hijacking, credential theft, or data manipulation are all within reach of a successful exploit.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-11153 is ready the moment the advisory is ingested, matching any image that bundles a Chrome build older than 149.0.7827.53. For environments with auto-remediation enabled, HarborGuard can rebuild the image at the patched version, run regression tests, and open a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation active. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the dashboard for reviewer action. Customers who have not yet enabled auto-remediation can prioritize this finding using the CVSS 9.1 score and the network-reachable, zero-interaction attack vector as triage signals.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N