CVE-2026-11230: Use after free in Extensions in Google Chrome prior to 149
Use after free in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Extensions component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a user to a crafted HTML page. The attack is reachable over the network and requires no authentication, but does require the victim to visit or interact with a malicious page. Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, which can be a stepping stone to further privilege escalation. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-11230 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.
AvailableHarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each environment's compliance policy to route alerts to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network, so the victim's Chrome instance must be reachable by or directed to an attacker-controlled resource.
- AuthenticationNot required
No credentials or account privileges are needed; any unauthenticated remote attacker can attempt the exploit.
- Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, making this a social-engineering or drive-by-download scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations.
Blast Radius
- Attacker executes arbitrary code inside the Chrome renderer sandbox, gaining control of the sandboxed process.
- Confidential data processed by the browser, such as session tokens, form inputs, and cached credentials, is exposed to the attacker.
- Attacker can modify or forge browser-side state, enabling tampering with web content the victim is actively viewing.
- Browser process integrity is compromised, which can serve as a launchpad for sandbox-escape attempts targeting the underlying host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-11230 activates as soon as the advisory is ingested, matching any customer image that packages Chrome or Chromium below 149.0.7827.53. Where compliance policy permits auto-remediation, HarborGuard can rebuild affected images at the patched version, run the configured regression suite, and open a PR against impacted workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Customers who manage their own remediation timelines will see the finding in their HarborGuard dashboard with full CVSS detail and policy-weighted priority so the right team can act without manual triage overhead.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H