CVE-2026-11158: Insufficient validation of untrusted input in Downloads in Google Chrome on Mac prior to 149
Insufficient validation of untrusted input in Downloads in Google Chrome on Mac prior to 149.0.7827.53 allowed a local attacker to potentially perform a sandbox escape via a crafted AppleScript command. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.6
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an insufficient input validation vulnerability in the Downloads component of Google Chrome on macOS, affecting all versions prior to 149.0.7827.53. An attacker with local access who can induce a user to interact with a crafted AppleScript command can exploit this flaw. Successful exploitation enables a sandbox escape, giving the attacker read access to sensitive data, the ability to modify files, and the ability to crash or disrupt the affected service. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-11158 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.
AvailableHarborGuard scores this CVE at 8.6 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within a customer org is available as part of the standard pipeline.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 becomes available in HarborGuard once the fix version is confirmed against an affected image. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationNot required
No account credentials or prior authentication are needed to attempt the exploit.
- Victim interactionRequired
The targeted user must interact with a crafted AppleScript command, making this a social-engineering-dependent attack.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout.
Blast Radius
- A successful attacker escapes the Chrome sandbox and gains access to files and data outside the browser's restricted process boundary.
- Confidential data stored on the host, including session tokens, credentials cached by the browser, and user files, becomes readable to the attacker.
- The attacker can modify persisted files and application data on the affected macOS host.
- The attacker can crash or disrupt the Chrome process and potentially other services reachable from the escaped sandbox context.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-11158 is active across ingestion pipelines and will flag any customer image that bundles a Chrome version below 149.0.7827.53 on a macOS base layer. A patched-image rebuild targeting 149.0.7827.53 is available for affected images. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, execute regression tests, and open a pull request against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are queued for reviewer action without further configuration.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H