How is CVE-2026-11179 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable and the victim must browse to the attacker-controlled URL. Authentication (not-required): No account or credential is needed; the attack is launched from any unauthenticated web origin. Victim interaction (required): The victim must visit a crafted HTML page, making this a social-engineering vector where the attacker must persuade the user to open a malicious link. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-11179?

A successful attacker reads cross-origin response data that site isolation is meant to protect, including session tokens, authenticated API responses, and user-specific page content. The attacker can modify or tamper with data in the context of the affected browsing session, undermining integrity of cross-origin interactions. The attacker can disrupt the affected Chrome session or cause it to crash, denying service to the user. Because confidentiality, integrity, and availability are all rated HIGH, the full scope of a compromised browser context is accessible to the attacker.

Back to search

HIGHCVE-2026-11179Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11179: Inappropriate implementation in ORB in Google Chrome prior to 149

Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An inappropriate implementation flaw in the Opaque Response Blocking (ORB) mechanism of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to bypass site isolation. The attacker must trick a victim into visiting a crafted HTML page, requiring no authentication but relying on user interaction; the attack is reachable over the network. Successful exploitation gives the attacker high-confidence read access to cross-origin data, the ability to modify that data, and can disrupt the affected service. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-11179 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This capability covers custom-built images that bundle Chrome or Chromium, not only official base images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is part of the standard pipeline flow.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard once the fix version is confirmed in the upstream feed. For customers who opt into auto-remediation, the pipeline performs the rebuild, runs a regression suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable and the victim must browse to the attacker-controlled URL.
AuthenticationNot required
No account or credential is needed; the attack is launched from any unauthenticated web origin.
Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering vector where the attacker must persuade the user to open a malicious link.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

A successful attacker reads cross-origin response data that site isolation is meant to protect, including session tokens, authenticated API responses, and user-specific page content.
The attacker can modify or tamper with data in the context of the affected browsing session, undermining integrity of cross-origin interactions.
The attacker can disrupt the affected Chrome session or cause it to crash, denying service to the user.
Because confidentiality, integrity, and availability are all rated HIGH, the full scope of a compromised browser context is accessible to the attacker.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11179 is matched against any image bundling an affected Chrome or Chromium build as soon as the advisory enters the ingest feed. For environments running Chrome prior to 149.0.7827.53, a patched-image rebuild at the fix version is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who do not opt into auto-remediation receive a flagged finding in their triage queue with the fix version and affected image list attached for manual action.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available