HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11207Published Modified CNA Chrome

CVE-2026-11207: Insufficient validation of untrusted input in Autofill in Google Chrome prior to 149

Insufficient validation of untrusted input in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the Autofill component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to escape the browser sandbox via specially crafted network traffic. The attack is reachable over the network, requires no authentication, and needs only a single user interaction such as visiting a malicious page. Successful exploitation gives the attacker full read, write, and denial-of-service capability on the affected system, breaking out of the browser's isolation boundary. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11207 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or depend on affected Chrome releases. Any image in a customer registry or CI pipeline carrying a Chrome version below 149.0.7827.53 is flagged automatically.

Available
Triage

Triage is available with a CVSS v3.1 score of 9.6 (Critical), and HarborGuard applies per-environment compliance policy weighting to prioritize findings before routing alerts to the appropriate team inbox within each customer organization. The scope-changed vector and full C/H/I/H/A/H impact profile cause this finding to rank at the top of any severity-ordered queue.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard the moment the upstream fix is confirmed, and customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads automatically. Where compliance policy permits, the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim's browser over the network, meaning the malicious traffic or page is delivered remotely without any need for local access.

  • AuthenticationNot required

    No account or credential is needed; the attacker can target any user who navigates to attacker-controlled content.

  • Victim interactionRequired

    The victim must interact with a malicious page or network resource, such as visiting a crafted URL, giving this a social-engineering component the attacker must arrange.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

  • Reads sensitive data accessible to the browser process outside the sandbox, including stored credentials, cookies, and session tokens.
  • Writes or modifies files and data on the host system at the privilege level of the escaped process.
  • Can terminate or crash the browser and potentially other processes on the host, causing a denial of service.
  • Full sandbox escape means subsequent payloads can operate outside Chrome's isolation boundary, enabling further host-level compromise.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11207 is active across all customer environments, matching any image that ships or embeds a Chrome release below 149.0.7827.53. For customers who opt into auto-remediation, a rebuilt image at the patched version is produced, run through regression tests, and delivered as a pull request against affected workloads; at critical severity, the median time from publication to merged PR is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and a high-priority alert is routed to the responsible team inbox so engineers can review and merge on their own schedule. Customers who cannot immediately rebuild are advised to enforce network policies that restrict access to untrusted external origins for services that embed Chrome, and to monitor egress for unexpected process-level traffic that could indicate a sandbox escape in progress.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References