HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11239Published Modified CNA Chrome

CVE-2026-11239: Inappropriate implementation in Extensions in Google Chrome prior to 149

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in the Extensions component of Google Chrome versions prior to 149.0.7827.53. An attacker who has already compromised Chrome's renderer process can exploit an inappropriate implementation flaw by luring a victim to a crafted HTML page, escalating privileges beyond the renderer sandbox. Successful exploitation gives the attacker high-level access to confidentiality, integrity, and availability of the affected system. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11239 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication via continuous ingestion from upstream vulnerability feeds, including NVD and CNA advisories. This matching capability covers custom-built images that bundle Chrome or Chromium alongside standard base images pulled from public registries.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on the affected image and workload context.

Available
Patch

A patched-image rebuild at Chrome version 149.0.7827.53 becomes available through HarborGuard once the fix version is confirmed in the upstream advisory record. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network, delivering a crafted HTML page from a remote origin, making network exposure a prerequisite.

  • AuthenticationNot required

    No account or credentials are needed on the target system; the attack is initiated purely through the browser rendering a crafted page.

  • Victim interactionRequired

    The victim must visit or be redirected to a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious ad.

  • Attack complexityDetail

    Attack complexity is high, meaning the attacker must first have compromised the renderer process before this escalation step is possible, introducing a significant environmental prerequisite.

Blast Radius

  • A successful attacker reads sensitive data accessible to the elevated process, including stored credentials, session tokens, and local files exposed to Chrome's privilege level.
  • The attacker modifies application state or system data at the escalated privilege level, including browser profile data and potentially host filesystem contents.
  • The attacker disrupts availability of the affected Chrome instance and potentially dependent system services by exercising escalated process control.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-11239 fires as soon as the CVE is ingested from upstream feeds, matching any customer image that bundles a Chrome or Chromium binary below version 149.0.7827.53. Where compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at the patched version, execute a regression run, and open a pull request against the affected workload. For high-severity issues, the median time from CVE publication to merged patch PR for environments with auto-remediation enabled is around 90 minutes. Customers who manage their own remediation cadence will see the finding in their HarborGuard dashboard with CVSS scoring, affected image inventory, and fix-version details included. Because this vulnerability requires a pre-compromised renderer process, teams may also consider network policy controls that restrict outbound connections from container workloads running Chrome in headless or automated-browser contexts, reducing the attacker's ability to establish the prerequisite renderer compromise.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References