How is CVE-2026-11213 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the vulnerable Chrome instance must be reachable or navigable to an attacker-controlled resource. Authentication (not-required): No account or credential is needed; the attack is launched from an unauthenticated position against any user who visits the crafted page. Victim interaction (required): The victim must open or navigate to a crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Exploit complexity is low once the renderer process is already compromised, meaning no race conditions or special memory-layout conditions are required for the sandbox escape step itself; however, the prerequisite renderer compromise is an additional barrier not captured in the AC token.

What is the impact of CVE-2026-11213?

A successful sandbox escape lets the attacker execute code outside the Chrome sandbox with the privileges of the browser process, reading files and credentials accessible to the logged-in user. The attacker gains the ability to write or modify files on the host filesystem and tamper with persistent user data. Full availability impact means the attacker can crash or terminate the browser process and any dependent services. With a foothold outside the sandbox, the attacker can pivot to other processes or network resources accessible from the host.

Back to search

CRITICALCVE-2026-11213Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11213: Insufficient validation of untrusted input in Reading Mode in Google Chrome prior to 149

Insufficient validation of untrusted input in Reading Mode in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the Reading Mode feature of Google Chrome prior to version 149.0.7827.53. It is reachable over the network with no authentication required, but does require a victim to interact with a crafted HTML page, and also assumes the attacker has already compromised the renderer process. Successful exploitation enables a sandbox escape, granting the attacker capabilities outside the Chrome sandbox including full confidentiality, integrity, and availability impact on the host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11213 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle or depend on Chrome. Coverage spans both registry-stored images and images passing through CI/CD pipelines.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 9.6 (Critical) and applies per-environment compliance policy weighting to prioritize and route alerts to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Chrome version 149.0.7827.53 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the vulnerable Chrome instance must be reachable or navigable to an attacker-controlled resource.
AuthenticationNot required
No account or credential is needed; the attack is launched from an unauthenticated position against any user who visits the crafted page.
Victim interactionRequired
The victim must open or navigate to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Exploit complexity is low once the renderer process is already compromised, meaning no race conditions or special memory-layout conditions are required for the sandbox escape step itself; however, the prerequisite renderer compromise is an additional barrier not captured in the AC token.

Blast Radius

A successful sandbox escape lets the attacker execute code outside the Chrome sandbox with the privileges of the browser process, reading files and credentials accessible to the logged-in user.
The attacker gains the ability to write or modify files on the host filesystem and tamper with persistent user data.
Full availability impact means the attacker can crash or terminate the browser process and any dependent services.
With a foothold outside the sandbox, the attacker can pivot to other processes or network resources accessible from the host.

How HarborGuard Handles This

Available on HarborGuard: the platform ingests upstream Chrome advisory data and matches CVE-2026-11213 against all customer images within minutes of publication, including internally built images that bundle Chrome. For environments running a Chrome version below 149.0.7827.53, a rebuilt image at the fix version is available. Where compliance policy permits auto-remediation, HarborGuard performs the patched rebuild, executes a regression run against the new image, and opens a pull request targeting affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the affected image list, CVSS detail, and fix-version reference pre-populated in their HarborGuard dashboard for immediate action.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available