How is CVE-2026-11201 exploited?

Network reachability (required): The attacker delivers the malicious extension over the network, so the victim's browser must be reachable or the victim must browse to attacker-controlled content. Authentication (not-required): No account or credential on the target system is needed; the attacker only needs to convince the victim to install the extension. Victim interaction (required): The victim must be socially engineered into installing a crafted Chrome extension for the exploit to trigger. Attack complexity (info): Exploit conditions are straightforward and reliable once the extension is installed, with no race conditions or special memory layout requirements noted.

What is the impact of CVE-2026-11201?

The attacker gains arbitrary code execution inside the Chrome browser process, allowing them to read session cookies, saved passwords, and browsing history. In-memory and on-disk data accessible to the browser profile can be exfiltrated, including stored credentials and autofill data. The attacker can modify web content, inject scripts into pages, or redirect the browser to attacker-controlled destinations. Depending on sandbox escape conditions, further privilege escalation to the underlying OS process space is possible.

Back to search

HIGHCVE-2026-11201Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11201: Use after free in ServiceWorker in Google Chrome prior to 149

Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the ServiceWorker component of Google Chrome allows an attacker to execute arbitrary code on the victim's machine. The flaw is reachable over the network but requires the victim to install a malicious Chrome extension crafted by the attacker; no authentication or existing account on the target is needed. Successful exploitation gives the attacker full code execution in the browser process, enabling data theft, tampering, and potential system compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11201 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium binary. Any image layer containing a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to contain an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious extension over the network, so the victim's browser must be reachable or the victim must browse to attacker-controlled content.
AuthenticationNot required
No account or credential on the target system is needed; the attacker only needs to convince the victim to install the extension.
Victim interactionRequired
The victim must be socially engineered into installing a crafted Chrome extension for the exploit to trigger.
Attack complexityDetail
Exploit conditions are straightforward and reliable once the extension is installed, with no race conditions or special memory layout requirements noted.

Blast Radius

The attacker gains arbitrary code execution inside the Chrome browser process, allowing them to read session cookies, saved passwords, and browsing history.
In-memory and on-disk data accessible to the browser profile can be exfiltrated, including stored credentials and autofill data.
The attacker can modify web content, inject scripts into pages, or redirect the browser to attacker-controlled destinations.
Depending on sandbox escape conditions, further privilege escalation to the underlying OS process space is possible.

How HarborGuard Handles This

Available on HarborGuard: any image containing Google Chrome below 149.0.7827.53 is flagged within minutes of the CVE entering upstream feeds. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS score, affected image list, and the recommended fix version attached. Customers who cannot immediately update are encouraged to apply network policy controls that restrict extension installation vectors and review extension allow-lists as a compensating measure while the rebuild is reviewed and merged.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available