How is CVE-2026-11191 exploited?

Network reachability (required): The attacker must be able to reach the victim over the network by delivering or linking to a crafted HTML page served from a remote host. Authentication (not-required): No account or credential is needed; the attacker exploits an unauthenticated browser rendering path. Victim interaction (required): The victim must open or navigate to the attacker-controlled HTML page, requiring a social-engineering or malicious-ad delivery step. Attack complexity (info): The exploit is reliable and condition-free once the victim loads the page; no race conditions or special memory layout is required.

What is the impact of CVE-2026-11191?

Reads arbitrary memory from the Chrome renderer process, exposing stored credentials, session tokens, and page content from other origins. Writes to out-of-bounds memory regions, allowing the attacker to corrupt renderer state or overwrite security-sensitive data structures. Crashes the affected Chrome renderer process, causing loss of the active browsing session and any unsaved in-page data. Combined high-confidence read, write, and crash capability makes this a strong primitive for chaining toward a full browser sandbox escape.

Back to search

HIGHCVE-2026-11191Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11191: Out of bounds memory access in ANGLE in Google Chrome prior to 149

Out of bounds memory access in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds memory access in the ANGLE graphics layer of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to read or write outside allocated memory by serving a crafted HTML page. The attack is reachable over the network, requires no authentication, but does require the victim to visit a malicious or compromised page. Successful exploitation gives the attacker full read, write, and crash capabilities over the affected browser process. A patched-image rebuild at 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11191 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium. No manual configuration is required for the match to occur.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage routing routes findings to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the victim over the network by delivering or linking to a crafted HTML page served from a remote host.
AuthenticationNot required
No account or credential is needed; the attacker exploits an unauthenticated browser rendering path.
Victim interactionRequired
The victim must open or navigate to the attacker-controlled HTML page, requiring a social-engineering or malicious-ad delivery step.
Attack complexityDetail
The exploit is reliable and condition-free once the victim loads the page; no race conditions or special memory layout is required.

Blast Radius

Reads arbitrary memory from the Chrome renderer process, exposing stored credentials, session tokens, and page content from other origins.
Writes to out-of-bounds memory regions, allowing the attacker to corrupt renderer state or overwrite security-sensitive data structures.
Crashes the affected Chrome renderer process, causing loss of the active browsing session and any unsaved in-page data.
Combined high-confidence read, write, and crash capability makes this a strong primitive for chaining toward a full browser sandbox escape.

How HarborGuard Handles This

Available on HarborGuard: detection against all images containing Chrome or Chromium below 149.0.7827.53 is active the moment the CVE enters the upstream feed. For customers who opt into auto-remediation, HarborGuard queues a patched-image rebuild at 149.0.7827.53, runs the configured regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the triage queue with CVSS 8.8 scoring and remediation guidance pointing to the 149.0.7827.53 release. As a compensating control prior to patching, network policy rules that restrict outbound navigation to untrusted origins, or feature-flag gating of Chrome deployment in affected container workloads, can reduce exposure surface while the rebuild is prepared.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available