How is CVE-2026-11177 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network; the target Chrome instance must be reachable by the user browsing to attacker-controlled content. Authentication (not-required): No account, credential, or prior authentication is needed; any unauthenticated remote attacker can serve the malicious page. Victim interaction (required): The attacker must socially engineer the victim into performing specific UI gestures (such as clicking or interacting with the address bar) on a crafted page before the vulnerability triggers. Attack complexity (info): Attack complexity is low, meaning the exploit does not depend on race conditions, specific memory layouts, or other environmental factors and is expected to be reliable once the victim interaction requirement is met.

What is the impact of CVE-2026-11177?

Reads in-process memory, exposing stored credentials, session tokens, autofill data, and browsing history held in the Chrome process. Modifies heap memory, allowing the attacker to alter application state or inject data into the running browser process. Achieves arbitrary code execution within the browser process at the privilege level of the logged-in user. Crashes the affected Chrome renderer or browser process, causing a denial of service for the user session.

Back to search

HIGHCVE-2026-11177Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11177: Use after free in Omnibox in Google Chrome prior to 149

Use after free in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in the Chrome Omnibox (the address bar component) affects Google Chrome versions prior to 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, but the attacker must convince a user to perform specific UI gestures on a crafted HTML page. Successful exploitation corrupts heap memory, giving the attacker the ability to read sensitive data, modify application state, or execute arbitrary code within the browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or layer Chrome. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network; the target Chrome instance must be reachable by the user browsing to attacker-controlled content.
AuthenticationNot required
No account, credential, or prior authentication is needed; any unauthenticated remote attacker can serve the malicious page.
Victim interactionRequired
The attacker must socially engineer the victim into performing specific UI gestures (such as clicking or interacting with the address bar) on a crafted page before the vulnerability triggers.
Attack complexityDetail
Attack complexity is low, meaning the exploit does not depend on race conditions, specific memory layouts, or other environmental factors and is expected to be reliable once the victim interaction requirement is met.

Blast Radius

Reads in-process memory, exposing stored credentials, session tokens, autofill data, and browsing history held in the Chrome process.
Modifies heap memory, allowing the attacker to alter application state or inject data into the running browser process.
Achieves arbitrary code execution within the browser process at the privilege level of the logged-in user.
Crashes the affected Chrome renderer or browser process, causing a denial of service for the user session.

How HarborGuard Handles This

Available on HarborGuard: any image carrying Chrome below 149.0.7827.53 is detected automatically upon CVE ingestion and queued for remediation. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fixed version, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the rebuild artifact is staged and a triage alert is routed to the responsible team inbox for review. Because victim interaction is a prerequisite for exploitation, teams without auto-remediation enabled may also consider browser-policy controls or network egress filtering as a compensating control while the patched image is reviewed and promoted.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available