How is CVE-2026-11262 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing or luring the target to a crafted HTML page hosted remotely. Authentication (not-required): No account, session token, or prior access to the target system is needed to deliver the exploit. Victim interaction (required): The target user must visit or be redirected to an attacker-controlled HTML page, making this a social-engineering or drive-by vector. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-11262?

A successful attacker executes arbitrary code within the Chrome browser process on the victim's machine. The attacker reads browser-stored data including cookies, saved passwords, and session tokens for sites the user is logged into. The attacker can modify or delete locally accessible files and data reachable from the browser process. The attacker can crash or hang the browser, disrupting the user's session and any in-progress work.

Back to search

HIGHCVE-2026-11262Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11262: Use after free in TabStrip in Google Chrome prior to 149

Use after free in TabStrip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the TabStrip component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code. The vulnerability is reachable over the network and requires no authentication, but does require the target user to visit a crafted HTML page. Successful exploitation gives the attacker full code execution in the context of the browser process, enabling confidentiality loss, data tampering, and service disruption. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11262 is available across every HarborGuard environment, with the CVE ingested from upstream feeds and matched against customer images, including custom-built images, within minutes of publication. Any image carrying a Chrome binary older than 149.0.7827.53 is flagged automatically during both registry scans and active pipeline checks.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector, and that score is weighted against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on ownership mappings configured in their HarborGuard workspace.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any image found carrying an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing or luring the target to a crafted HTML page hosted remotely.
AuthenticationNot required
No account, session token, or prior access to the target system is needed to deliver the exploit.
Victim interactionRequired
The target user must visit or be redirected to an attacker-controlled HTML page, making this a social-engineering or drive-by vector.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

A successful attacker executes arbitrary code within the Chrome browser process on the victim's machine.
The attacker reads browser-stored data including cookies, saved passwords, and session tokens for sites the user is logged into.
The attacker can modify or delete locally accessible files and data reachable from the browser process.
The attacker can crash or hang the browser, disrupting the user's session and any in-progress work.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11262 fires the moment an image carrying Chrome older than 149.0.7827.53 is scanned, whether that image comes from a public base layer or a custom internal build. The finding is scored at 8.8 HIGH and routed according to each environment's compliance policy. Where auto-remediation is enabled, HarborGuard rebuilds the image at the fixed version (149.0.7827.53), runs regression tests against the updated image, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding appears in the team inbox with remediation guidance and the fixed version pinned for manual action.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available