CVE-2026-11248: Inappropriate implementation in Google Lens in Google Chrome prior to 149
Inappropriate implementation in Google Lens in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An inappropriate implementation vulnerability in the Google Lens feature of Google Chrome (versions prior to 149.0.7827.53) allows a remote attacker to bypass navigation restrictions by delivering a crafted HTML page to a victim. The attack is reachable over the network, requires no authentication, but depends on the victim interacting with a malicious page. Successful exploitation enables full read, write, and availability impact on the affected scope. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome binary. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is delivered to the inbox or ticketing integration configured for the relevant team inside each customer org.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard once the fix version is confirmed against the affected image layers. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network by delivering a crafted HTML page, making the service's network exposure a prerequisite.
- AuthenticationNot required
No credentials or account are needed; the attacker can target any user who visits the malicious page.
- Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, requiring a social-engineering or drive-by delivery step.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.
Blast Radius
- A successful attacker reads sensitive data stored or accessible in the browser context, including session tokens, saved credentials, and page content.
- The attacker modifies browser-controlled data or state, enabling content injection or tampering with navigation behavior.
- The attacker can disrupt or crash the affected browser process, causing loss of availability for the user session.
How HarborGuard Handles This
Available on HarborGuard: any image layer containing a Chrome binary below version 149.0.7827.53 is matched against this CVE within minutes of the advisory entering upstream feeds. For customers who opt into auto-remediation, HarborGuard queues a rebuild against the patched base at 149.0.7827.53, runs regression checks, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the configured owner with full CVSS context and remediation diff attached. Customers who cannot immediately rebuild are advised to apply network-policy controls that restrict untrusted HTML delivery paths and to audit any pipeline step that installs or bundles a Chrome binary directly.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H