How is CVE-2026-11171 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable and able to load remote content. Authentication (not-required): No account or credentials are needed on any system; the attacker only needs to serve a malicious page. Victim interaction (required): The victim must navigate to or be redirected to the attacker-controlled HTML page, requiring at minimum a click or redirect for exploitation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-11171?

An attacker executes arbitrary code inside the Chrome renderer sandbox, gaining control of the rendering process for the affected tab. Confidential data processed by or displayed in the browser, such as session tokens, form input, and page content, is readable by the attacker. The attacker can modify rendered content and browser state, enabling tampering with data the user reads or submits. The affected Chrome renderer process can be crashed or destabilized, disrupting the user's browsing session.

Back to search

HIGHCVE-2026-11171Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11171: Integer overflow in Blink in Google Chrome prior to 149

Integer overflow in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in Blink, the rendering engine used by Google Chrome, allows a remote attacker to execute arbitrary code inside the browser sandbox by serving a crafted HTML page. The vulnerability is reachable over the network with no authentication required, but the victim must visit a malicious page, making it a drive-by or social-engineering attack. Successful exploitation gives an attacker code execution within the Chrome sandbox, with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-11171 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium binary. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and surfaces it against each environment's compliance policy weighting to prioritize accordingly. Findings are routed to the inbox or ticketing integration configured for the affected team within each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable and able to load remote content.
AuthenticationNot required
No account or credentials are needed on any system; the attacker only needs to serve a malicious page.
Victim interactionRequired
The victim must navigate to or be redirected to the attacker-controlled HTML page, requiring at minimum a click or redirect for exploitation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

Blast Radius

An attacker executes arbitrary code inside the Chrome renderer sandbox, gaining control of the rendering process for the affected tab.
Confidential data processed by or displayed in the browser, such as session tokens, form input, and page content, is readable by the attacker.
The attacker can modify rendered content and browser state, enabling tampering with data the user reads or submits.
The affected Chrome renderer process can be crashed or destabilized, disrupting the user's browsing session.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below 149.0.7827.53 are matched against CVE-2026-11171 within minutes of the advisory being ingested. Where compliance policy permits, a patched rebuild at 149.0.7827.53 is prepared automatically; for customers who opt into auto-remediation, HarborGuard runs regression tests against the rebuilt image and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in auto-remediation-enabled environments. Customers who manage their own patch process can use the HarborGuard finding to prioritize the Chrome upgrade and validate the fixed version is present in their next image build.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available