How is CVE-2026-11241 exploited?

Network reachability (info): The attacker must be on the same adjacent network segment (LAN or VPN) as the victim; remote exploitation over the open internet is not possible with this vector. Authentication (not-required): No account or credentials on the target system are needed before launching the attack. Victim interaction (required): The victim must visit or be redirected to a crafted HTML page, making social engineering or a man-in-the-middle content injection a necessary part of the attack chain. Attack complexity (info): Exploitation is reliable and imposes no special timing requirements, race conditions, or environmental preconditions beyond placing the attacker on the adjacent network.

What is the impact of CVE-2026-11241?

A successful attacker reads sensitive browser data including cookies, stored credentials, and session tokens accessible to the Chrome process. The attacker can modify browser state, alter rendered content, or inject data into the active browsing session. The Cast component or the browser process can be crashed or rendered unresponsive, disrupting the user's session. Privilege escalation within the browser context may allow the attacker to reach resources or permissions beyond what the victim's normal browsing session would permit.

Back to search

HIGHCVE-2026-11241Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11241: Insufficient validation of untrusted input in Cast in Google Chrome prior to 149

Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient input validation in the Cast component of Google Chrome (versions prior to 149.0.7827.53) allows an attacker on the same local network segment to escalate privileges by tricking a victim into visiting a crafted HTML page. The attacker needs no prior authentication, but does require the victim to interact with malicious content, and exploitation results in full confidentiality, integrity, and availability impact on the affected browser session. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected Chrome version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11241 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a vulnerable Chrome release. Coverage extends to both registry scans and pipeline-integrated scans run at build time.

Available

Triage

HarborGuard scores this CVE at CVSS 8.0 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network segment (LAN or VPN) as the victim; remote exploitation over the open internet is not possible with this vector.
AuthenticationNot required
No account or credentials on the target system are needed before launching the attack.
Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, making social engineering or a man-in-the-middle content injection a necessary part of the attack chain.
Attack complexityDetail
Exploitation is reliable and imposes no special timing requirements, race conditions, or environmental preconditions beyond placing the attacker on the adjacent network.

Blast Radius

A successful attacker reads sensitive browser data including cookies, stored credentials, and session tokens accessible to the Chrome process.
The attacker can modify browser state, alter rendered content, or inject data into the active browsing session.
The Cast component or the browser process can be crashed or rendered unresponsive, disrupting the user's session.
Privilege escalation within the browser context may allow the attacker to reach resources or permissions beyond what the victim's normal browsing session would permit.

How HarborGuard Handles This

Available on HarborGuard: any image containing a Chrome release older than 149.0.7827.53 is flagged at CVSS 8.0 (HIGH) as soon as the CVE enters the ingestion pipeline, typically within minutes of publication. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation active. Where compliance policy or organizational workflow requires manual approval, the rebuilt image and a full findings report are queued for reviewer action. Because this vulnerability requires the attacker to share a network segment with the victim, customers who cannot immediately patch should consider isolating affected workloads behind stricter network policies to limit adjacent-network exposure until the updated image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available