CVE-2026-11211: Integer overflow in V8 in Google Chrome prior to 149
Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An integer overflow in V8, the JavaScript engine embedded in Google Chrome, affects all versions prior to 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, but does require a victim to visit a crafted HTML page. Successful exploitation gives a remote attacker arbitrary code execution inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.
AvailableHarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and can weight that score against each customer organization's compliance policy to route findings to the appropriate team inbox.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be able to load an externally hosted or attacker-controlled HTML page.
- AuthenticationNot required
No account, credential, or session token is needed; any unauthenticated user browsing to the crafted page is a valid target.
- Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering vector that requires luring or redirecting the target to attacker-controlled content.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- The attacker executes arbitrary code inside the Chrome renderer sandbox, gaining full control of the sandboxed process.
- Confidential data processed by the renderer, including page content, cookies, and in-memory credentials, is readable by the attacker.
- The attacker can write or modify data within the sandbox's reach, including cached files and storage accessible to the renderer process.
- The renderer process can be crashed or made unresponsive, disrupting the browsing session for the affected user.
How HarborGuard Handles This
Available on HarborGuard: detection against this CVE activates within minutes of publication for all customer images containing Chrome or Chromium. For environments confirmed to be running a version below 149.0.7827.53, a rebuilt image at the patched version is available immediately. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; for high-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually will find the finding pre-scored at 8.8 HIGH and routed according to their configured policy. No compensating-control workaround substitutes for upgrading to 149.0.7827.53, but network-policy rules that restrict which container workloads can spawn or embed Chrome can reduce exposure while the upgrade is staged.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H