CVE-2026-11242: Insufficient validation of untrusted input in Plugins in Google Chrome prior to 149
Insufficient validation of untrusted input in Plugins in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an insufficient input validation vulnerability in the Plugins component of Google Chrome prior to version 149.0.7827.53. The flaw is reachable over the network with no authentication required, but exploitation assumes the attacker has already compromised the Chrome renderer process. Successful exploitation leaks cross-origin data, meaning an attacker can read content from web origins other than their own, violating the browser's same-origin boundary. A patched-image rebuild at 149.0.7827.53 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.
AvailableHarborGuard scores this CVE at 7.5 HIGH per CVSS v3.1 and is capable of weighting that score against each environment's compliance policy, then routing the finding to the appropriate team inbox within the customer org.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard is capable of triggering a rebuild, running a regression suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the target over the network and deliver a crafted HTML page to the victim's browser.
- AuthenticationNot required
No authentication or account credentials are required to deliver the malicious page.
- Victim interactionNot required
No user interaction is required beyond the renderer process already being compromised; no additional click or social-engineering step is needed at exploitation time.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout, though it does presuppose a pre-existing renderer compromise.
Blast Radius
- Reads cross-origin data that the same-origin policy would normally block, such as response bodies from other sites loaded in the same browser session.
- Leaks potentially sensitive content from authenticated sessions on third-party origins, for example intranet pages or logged-in web application responses.
- Confidentiality impact is high with no integrity or availability impact, so the attacker gains information but cannot modify or destroy data through this vulnerability alone.
How HarborGuard Handles This
Available on HarborGuard: images containing Chrome or Chromium below version 149.0.7827.53 are flagged against this CVE as soon as it appears in the ingestion feed. For customers with auto-remediation enabled, HarborGuard can rebuild the affected image at the patched version, run a regression test suite, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and fix-version detail so reviewers can act without additional research.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N