How is CVE-2026-11236 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, requiring the victim's browser to reach an attacker-controlled resource. Authentication (not-required): No account or credential is needed; the attack is launched from an unauthenticated remote position. Victim interaction (required): The victim must navigate to or load a crafted HTML page, making social engineering a necessary part of the attack chain. Attack complexity (info): Exploitation is rated high complexity because it presupposes a prior renderer process compromise before the sandbox escape becomes possible.

What is the impact of CVE-2026-11236?

Attacker escapes the Chrome browser sandbox and gains code execution in the context of the host process, bypassing the browser's primary isolation boundary. Full read access to host-level files and memory outside the renderer sandbox becomes available, including credentials, session data, and other sensitive on-disk material. Attacker can write or modify files and data on the host system beyond what the sandboxed renderer is permitted to touch. The host process and any services sharing its privilege level can be crashed or made unavailable.

Back to search

HIGHCVE-2026-11236Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11236: Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149

Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An insufficient policy enforcement flaw in the Web Bluetooth component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network but requires victim interaction and involves high attack complexity, reflecting the prerequisite of a compromised renderer. Successful exploitation gives the attacker full read, write, and availability impact on the host beyond the browser sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11236 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle Google Chrome, including internal base images derived from Debian, Ubuntu, or other distributions.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 HIGH and weighting it against each environment's compliance policy to prioritize routing. Triage findings are surfaced to the relevant team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, requiring the victim's browser to reach an attacker-controlled resource.
AuthenticationNot required
No account or credential is needed; the attack is launched from an unauthenticated remote position.
Victim interactionRequired
The victim must navigate to or load a crafted HTML page, making social engineering a necessary part of the attack chain.
Attack complexityDetail
Exploitation is rated high complexity because it presupposes a prior renderer process compromise before the sandbox escape becomes possible.

Blast Radius

Attacker escapes the Chrome browser sandbox and gains code execution in the context of the host process, bypassing the browser's primary isolation boundary.
Full read access to host-level files and memory outside the renderer sandbox becomes available, including credentials, session data, and other sensitive on-disk material.
Attacker can write or modify files and data on the host system beyond what the sandboxed renderer is permitted to touch.
The host process and any services sharing its privilege level can be crashed or made unavailable.

How HarborGuard Handles This

Available on HarborGuard: any container image bundling Google Chrome below version 149.0.7827.53 is flagged as affected and a rebuild at 149.0.7827.53 is queued automatically upon CVE ingestion. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression check, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the patched rebuild and a CVSS 8.3 HIGH triage summary are routed to the appropriate team inbox so reviewers have everything needed to approve and merge without additional research.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available