How is CVE-2026-11154 exploited?

Network reachability (required): The attacker must deliver the crafted HTML page to the victim over the network, requiring the target to reach an attacker-controlled web resource. Authentication (not-required): No account or credentials are needed; the exploit is reachable by any unauthenticated visitor to the malicious page. Victim interaction (required): The victim must open a crafted HTML page, meaning the attacker must socially engineer the target into visiting a malicious URL. Attack complexity (info): Attack complexity is High, meaning the attacker must first achieve renderer process compromise before the use-after-free can be used for sandbox escape, making reliable exploitation dependent on chaining with a prior vulnerability.

What is the impact of CVE-2026-11154?

An attacker who succeeds in the sandbox escape can execute arbitrary code outside the Chrome sandbox with the privileges of the browser process. Confidential data accessible to the browser process, including stored credentials, session tokens, and local files, becomes readable. The attacker can write or modify files and system state on the host, enabling persistence or lateral movement. The host process can be crashed or destabilized, causing service disruption for the affected user session.

Back to search

HIGHCVE-2026-11154Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11154: Use after free in Dawn in Google Chrome prior to 149

Use after free in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in Dawn (the WebGPU backend) in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape the Chrome sandbox via a crafted HTML page. The attack requires the victim to visit a malicious page and involves high attack complexity, but no authentication is needed. Successful exploitation gives the attacker full control over the host process outside the sandbox, enabling arbitrary code execution, data theft, and system tampering. A patched-image rebuild at 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-11154 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome or Chromium as a dependency. Any image shipping a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 (High) using the published v3.1 vector, and per-environment compliance policy weighting can escalate or suppress the finding based on how Chrome is used in each workload. Routed findings land in the inbox of the team or individual mapped to the affected image within each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available through HarborGuard once the upstream fix is confirmed in the image layer. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver the crafted HTML page to the victim over the network, requiring the target to reach an attacker-controlled web resource.
AuthenticationNot required
No account or credentials are needed; the exploit is reachable by any unauthenticated visitor to the malicious page.
Victim interactionRequired
The victim must open a crafted HTML page, meaning the attacker must socially engineer the target into visiting a malicious URL.
Attack complexityDetail
Attack complexity is High, meaning the attacker must first achieve renderer process compromise before the use-after-free can be used for sandbox escape, making reliable exploitation dependent on chaining with a prior vulnerability.

Blast Radius

An attacker who succeeds in the sandbox escape can execute arbitrary code outside the Chrome sandbox with the privileges of the browser process.
Confidential data accessible to the browser process, including stored credentials, session tokens, and local files, becomes readable.
The attacker can write or modify files and system state on the host, enabling persistence or lateral movement.
The host process can be crashed or destabilized, causing service disruption for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11154 is active across all scanned registries and CI pipelines, flagging any image that includes Chrome below version 149.0.7827.53. For customers who opt into auto-remediation, HarborGuard makes a rebuilt image at the patched version available, runs regression tests against it, and opens a pull request targeting affected workloads. For High-severity issues like this one, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers whose compliance policy does not permit auto-remediation will see the finding routed to their configured team inbox with full CVSS context, affected layer details, and a direct reference to the fix version so a manual upgrade path can be initiated promptly.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available