HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11237Published Modified CNA Chrome

CVE-2026-11237: Insufficient validation of untrusted input in Media in Google Chrome prior to 149

Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the Media component of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to spoof the browser UI by serving a crafted HTML page. The attack requires the victim to visit the malicious page and carries high complexity due to the prerequisite renderer compromise, but the CVSS v3.1 scope is changed, reflecting the ability to affect components outside the sandboxed renderer. Exploitation enables full confidentiality, integrity, and availability impact across affected scope. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Chrome CNA advisory) within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium runtime. Any image layer carrying a Chrome binary older than 149.0.7827.53 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.3 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy, escalating to the appropriate team inbox. The changed-scope indicator is surfaced in the triage detail so reviewers understand the cross-boundary impact.

Available
Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable to or directed toward an attacker-controlled web origin.

  • AuthenticationNot required

    No account or credential is needed; any unauthenticated remote party can serve the malicious page.

  • Victim interactionRequired

    The victim must navigate to or load the crafted HTML page, making social engineering (phishing link, malicious ad, redirected URL) a prerequisite.

  • Attack complexityDetail

    Attack complexity is high because the attacker must first have compromised the renderer process before UI spoofing becomes possible, requiring a multi-stage exploitation chain.

Blast Radius

  • A successful attacker can spoof trusted browser UI elements, deceiving the victim into believing they are interacting with a legitimate origin or security dialog.
  • Confidentiality impact is high: the spoofed UI can harvest credentials, authentication tokens, or other sensitive data the user believes they are submitting to a trusted site.
  • Integrity impact is high: the attacker can manipulate what the user sees and acts on, causing the victim to approve or submit data intended for a fraudulent destination.
  • Availability impact is high: the attacker can disrupt the browser session or render the browser interface non-functional from the user's perspective.

How HarborGuard Handles This

Available on HarborGuard: detection fires on any image bundling Chrome below 149.0.7827.53, with results visible in the registry scan dashboard and pipeline gate logs. The fix version (149.0.7827.53) is the rebuild target; where compliance policy permits, auto-remediation customers receive a rebuilt image, a regression-test run, and a PR opened against affected workloads, with a median patch-PR merge time of roughly 90 minutes for high-severity findings. The CVSS scope-changed flag is included in the triage detail to ensure reviewers account for cross-component exposure. Environments that cannot immediately rebuild should consider restricting access to untrusted web content within the affected container workload as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References