How is CVE-2026-11188 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page from a remotely accessible host. Authentication (not-required): No account or credential is needed on the target; the attacker only needs the victim to load the malicious page. Victim interaction (required): The victim must visit or otherwise interact with a crafted HTML page, making this a social-engineering vector such as a phishing link or malicious ad. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-11188?

Attacker escapes the Chrome browser sandbox, gaining code execution outside the browser process boundary. Confidential data accessible to the browser process, including session tokens, stored credentials, and on-device user data, is exposed to reads. Attacker can write to memory and filesystem regions outside the sandbox, enabling persistent modification of application data or installation of malicious payloads. The affected process can be crashed or destabilized, causing service disruption for the browser and any dependent in-app functionality.

Back to search

HIGHCVE-2026-11188Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11188: Use after free in USB in Google Chrome on Android prior to 149

Use after free in USB in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in the USB component of Google Chrome on Android (versions prior to 149.0.7827.53) allows a remote attacker to exploit freed memory through a crafted HTML page delivered over the network, requiring no authentication but needing the victim to visit or interact with the malicious page. Successful exploitation enables a sandbox escape, giving the attacker read, write, and execution capabilities beyond the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome on Android.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-11188 is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built Android or Chromium-based container images. Any image bundling a Chrome on Android build older than 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and surfaces it with that severity in each customer environment, weighted by any compliance policy the organization has configured. Triage findings are routed to the appropriate team inbox within each customer org based on image ownership and policy rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available through HarborGuard the moment the fix version is resolved against an affected image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remotely accessible host.
AuthenticationNot required
No account or credential is needed on the target; the attacker only needs the victim to load the malicious page.
Victim interactionRequired
The victim must visit or otherwise interact with a crafted HTML page, making this a social-engineering vector such as a phishing link or malicious ad.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Attacker escapes the Chrome browser sandbox, gaining code execution outside the browser process boundary.
Confidential data accessible to the browser process, including session tokens, stored credentials, and on-device user data, is exposed to reads.
Attacker can write to memory and filesystem regions outside the sandbox, enabling persistent modification of application data or installation of malicious payloads.
The affected process can be crashed or destabilized, causing service disruption for the browser and any dependent in-app functionality.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome on Android below version 149.0.7827.53 are detectable immediately upon CVE ingestion, with no manual scan configuration required. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at 149.0.7827.53, runs a regression test pass, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy does not permit automated remediation, HarborGuard surfaces the finding with full CVSS context and ownership routing so the responsible team can act directly. Because this vulnerability requires victim interaction via a crafted page, network-policy controls that restrict outbound browser traffic or limit access to untrusted origins can reduce exposure as a compensating control while a rebuild is prepared.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available