How is CVE-2026-11173 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the victim's browser fetches the attacker-controlled HTML page. Authentication (not-required): No account or credential is needed; any unauthenticated remote attacker can serve the malicious page. Victim interaction (required): The victim must visit or be redirected to a crafted HTML page, making this a social-engineering or drive-by-delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors beyond the renderer-process pre-compromise prerequisite noted in the description.

What is the impact of CVE-2026-11173?

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control over the sandboxed process. Reads in-memory data accessible to the renderer, including page content, session tokens, and form input captured before the sandbox boundary. Modifies in-renderer state, enabling manipulation of displayed content or preparation of a follow-on sandbox-escape payload. When chained with a sandbox-escape primitive, extends attacker control to the host operating system and any data or credentials accessible to the Chrome process.

Back to search

HIGHCVE-2026-11173Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11173: Out of bounds write in V8 in Google Chrome prior to 149

Out of bounds write in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability in V8, the JavaScript engine embedded in Google Chrome, allows a remote attacker who has already compromised the renderer process to execute arbitrary code within the browser sandbox by delivering a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though the victim must visit a malicious or attacker-controlled page. Successful exploitation gives the attacker code execution inside the sandbox, which can be chained with a sandbox-escape to achieve full host compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-11173 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary. No manual triage step is required to trigger the match.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 (High) and is capable of weighting it further against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to contain an affected version. For customers with auto-remediation enabled, the platform rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the victim's browser fetches the attacker-controlled HTML page.
AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker can serve the malicious page.
Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, making this a social-engineering or drive-by-delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors beyond the renderer-process pre-compromise prerequisite noted in the description.

Blast Radius

Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker control over the sandboxed process.
Reads in-memory data accessible to the renderer, including page content, session tokens, and form input captured before the sandbox boundary.
Modifies in-renderer state, enabling manipulation of displayed content or preparation of a follow-on sandbox-escape payload.
When chained with a sandbox-escape primitive, extends attacker control to the host operating system and any data or credentials accessible to the Chrome process.

How HarborGuard Handles This

Available on HarborGuard: images containing a Chrome or Chromium binary below version 149.0.7827.53 are flagged automatically as part of each scheduled and on-push scan cycle. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version, runs regression tests, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who manage patching manually, the finding is routed to the designated inbox with full CVSS context and a direct reference to the fix version so remediation can begin without additional research. Where compliance policy flags renderer-process exposure as elevated risk, HarborGuard is capable of applying additional policy weight to surface this finding ahead of lower-priority queue items.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available