How is CVE-2026-11164 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable from or directed to an attacker-controlled internet location. Authentication (not-required): No account or credential is needed; the attacker only has to serve a malicious page to the target. Victim interaction (required): The victim must open the crafted HTML page in an affected version of Chrome, making this a social-engineering vector (phishing link, malicious ad, or similar). Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout guesses, or other environmental factors.

What is the impact of CVE-2026-11164?

Executes arbitrary code inside Chrome's renderer sandbox, giving the attacker a foothold for further sandbox-escape attempts. Reads in-browser data such as stored session cookies, autofill values, and page content from any origin loaded in the compromised renderer. Modifies or injects content into pages rendered by the affected process, enabling credential harvesting or silent form tampering. Crashes or destabilizes the affected browser process, disrupting the victim's session and any dependent services.

Back to search

HIGHCVE-2026-11164Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11164: Use after free in Blink in Google Chrome prior to 149

Use after free in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in Blink, the rendering engine of Google Chrome prior to version 149.0.7827.53, allows a remote attacker to execute arbitrary code. The attacker delivers a crafted HTML page over the network and requires no authentication, but does need the victim to visit the page in a browser. Successful exploitation results in arbitrary code execution inside Chrome's sandbox, enabling further attack chaining against the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-11164 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary. Any image carrying a Chrome version below 149.0.7827.53 will surface as affected in the scan results.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights findings against each customer org's compliance policy to determine urgency and routing. Findings are delivered to the team inbox or ticketing integration configured for the affected environment.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available in HarborGuard as soon as the fix version is confirmed in the upstream advisory. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable from or directed to an attacker-controlled internet location.
AuthenticationNot required
No account or credential is needed; the attacker only has to serve a malicious page to the target.
Victim interactionRequired
The victim must open the crafted HTML page in an affected version of Chrome, making this a social-engineering vector (phishing link, malicious ad, or similar).
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout guesses, or other environmental factors.

Blast Radius

Executes arbitrary code inside Chrome's renderer sandbox, giving the attacker a foothold for further sandbox-escape attempts.
Reads in-browser data such as stored session cookies, autofill values, and page content from any origin loaded in the compromised renderer.
Modifies or injects content into pages rendered by the affected process, enabling credential harvesting or silent form tampering.
Crashes or destabilizes the affected browser process, disrupting the victim's session and any dependent services.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11164 runs against every image in connected registries and CI pipelines, flagging any layer that ships a Chrome binary below 149.0.7827.53. A rebuilt image at the fix version is available for affected environments immediately upon advisory confirmation. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes the configured regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the designated security inbox with fix-version details and a link to this advisory so teams can act manually.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available