How is CVE-2026-11165 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the vulnerable service must be reachable from the internet or an accessible network path. Authentication (not-required): No account or credential is needed; any unauthenticated user browsing to the malicious page is a viable target. Victim interaction (required): The attacker must socially engineer the target into opening a crafted HTML page, making user interaction a necessary step in the attack chain. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-11165?

The attacker escapes the browser sandbox and gains code execution in a more privileged process context outside normal browser isolation. Confidential data accessible to that elevated context, including stored credentials, session tokens, and on-device files, becomes readable. The attacker can modify or delete data in that elevated context, tampering with application state or persisted files on the device. The attacker can crash or destabilize services running in the affected process space, causing denial of service to the user or dependent components.

Back to search

CRITICALCVE-2026-11165Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11165: Use after free in WebMIDI in Google Chrome on iOS prior to 149

Use after free in WebMIDI in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the WebMIDI component of Google Chrome on iOS allows a remote attacker to exploit freed memory by luring a user to a crafted HTML page. No prior authentication is needed, but the attacker must convince a target to visit a malicious page. Successful exploitation gives the attacker a sandbox escape, granting access to data and processes outside the browser's normal isolation boundary, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11165 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed ingestion. Coverage extends to custom-built images that bundle Chrome on iOS, not just official base images.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.6 (Critical) and weighting it against each environment's compliance policy to determine escalation priority. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the vulnerable service must be reachable from the internet or an accessible network path.
AuthenticationNot required
No account or credential is needed; any unauthenticated user browsing to the malicious page is a viable target.
Victim interactionRequired
The attacker must socially engineer the target into opening a crafted HTML page, making user interaction a necessary step in the attack chain.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

The attacker escapes the browser sandbox and gains code execution in a more privileged process context outside normal browser isolation.
Confidential data accessible to that elevated context, including stored credentials, session tokens, and on-device files, becomes readable.
The attacker can modify or delete data in that elevated context, tampering with application state or persisted files on the device.
The attacker can crash or destabilize services running in the affected process space, causing denial of service to the user or dependent components.

How HarborGuard Handles This

Available on HarborGuard: detection and remediation capabilities for CVE-2026-11165 are ready for any environment that includes Chrome on iOS prior to 149.0.7827.53 in its scanned images. The CVE is ingested from upstream feeds and matched against customer registries and pipelines within minutes of publication. Where compliance policy permits, a patched rebuild at version 149.0.7827.53 can be generated automatically; for customers with auto-remediation enabled, HarborGuard will trigger the rebuild, execute a regression test run, and open a PR against affected workloads. For Critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the appropriate team inbox with full CVSS context so engineers can act manually.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available