How is CVE-2026-11202 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the target device must be able to reach attacker-controlled web content. Authentication (not-required): No account or credential is needed on the target system; the attack is fully unauthenticated. Victim interaction (required): The victim must visit a crafted HTML page, requiring the attacker to socially engineer or redirect the user to attacker-controlled content. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-11202?

A successful sandbox escape lets the attacker read data held inside the Chrome sandbox, including session tokens, cached credentials, and browsing history. The attacker gains write capability within the escaped context, enabling modification of stored application data or injection of malicious content into the browser process. The attacker can crash or disrupt the Chrome process, causing a denial of service for the user. Because the sandbox boundary is broken, the attacker may pivot to interact with OS-level resources that the browser process can access on the iOS device.

Back to search

HIGHCVE-2026-11202Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11202: Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149

Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An inappropriate implementation flaw in Chrome for iOS (Google Chrome on iOS prior to 149.0.7827.53) allows a remote attacker to trigger a sandbox escape by convincing a user to visit a crafted HTML page. The vulnerability is reachable over the network with no authentication required, but does need the victim to load attacker-controlled content. Successful exploitation gives the attacker full read, write, and denial-of-service capability against the affected process, escaping the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11202 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle or distribute Chrome for iOS components.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at version 149.0.7827.53 becomes available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the target device must be able to reach attacker-controlled web content.
AuthenticationNot required
No account or credential is needed on the target system; the attack is fully unauthenticated.
Victim interactionRequired
The victim must visit a crafted HTML page, requiring the attacker to socially engineer or redirect the user to attacker-controlled content.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

A successful sandbox escape lets the attacker read data held inside the Chrome sandbox, including session tokens, cached credentials, and browsing history.
The attacker gains write capability within the escaped context, enabling modification of stored application data or injection of malicious content into the browser process.
The attacker can crash or disrupt the Chrome process, causing a denial of service for the user.
Because the sandbox boundary is broken, the attacker may pivot to interact with OS-level resources that the browser process can access on the iOS device.

How HarborGuard Handles This

Available on HarborGuard: any image in a customer registry or pipeline that includes Google Chrome for iOS components below version 149.0.7827.53 is flagged at HIGH severity upon the next scan cycle, which begins within minutes of CVE ingestion. Where compliance policy permits, a rebuilt image at the fixed version (149.0.7827.53) is made available automatically. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression test run against the rebuilt image, and opens a pull request targeting affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers not using auto-remediation receive a prioritized finding routed to the configured owner inbox, with CVSS scoring and compliance-policy weighting attached to support triage decisions.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available