How is CVE-2026-11279 exploited?

Network reachability (required): The attacker must deliver the crafted HTML page to the victim over the network, so the Chrome instance must be reachable or browsing attacker-controlled content accessible via the internet or internal network. Authentication (not-required): No account or credentials are needed; the exploit is triggered purely by the victim loading a crafted page. Victim interaction (required): The victim must visit or otherwise load a crafted HTML page, making this a social-engineering or malicious-link scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-11279?

The attacker gains arbitrary code execution within the Chrome renderer sandbox, allowing execution of attacker-supplied instructions in that process context. Confidentiality impact is high: the attacker can read in-process memory, potentially capturing session tokens, credentials, or page content loaded in the affected tab. Integrity impact is high: the attacker can modify data processed within the sandboxed renderer, including manipulating page content or writing to accessible storage APIs. Availability impact is high: the attacker can crash or destabilize the renderer process, taking down the affected browsing context.

Back to search

HIGHCVE-2026-11279Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11279: Out of bounds read in DevTools in Google Chrome prior to 149

Out of bounds read in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability in the DevTools component of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a user to a crafted HTML page. The attack is reachable over the network and requires no authentication, though it does require the victim to visit or load attacker-controlled content. Successful exploitation gives the attacker code execution within the sandboxed renderer process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11279 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.

Available

Triage

Triage is available with the CVSS v3.1 score of 8.8 (HIGH) applied automatically, weighted further by each customer organization's compliance policy, and routed to the appropriate team inbox within that customer's HarborGuard account.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver the crafted HTML page to the victim over the network, so the Chrome instance must be reachable or browsing attacker-controlled content accessible via the internet or internal network.
AuthenticationNot required
No account or credentials are needed; the exploit is triggered purely by the victim loading a crafted page.
Victim interactionRequired
The victim must visit or otherwise load a crafted HTML page, making this a social-engineering or malicious-link scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

The attacker gains arbitrary code execution within the Chrome renderer sandbox, allowing execution of attacker-supplied instructions in that process context.
Confidentiality impact is high: the attacker can read in-process memory, potentially capturing session tokens, credentials, or page content loaded in the affected tab.
Integrity impact is high: the attacker can modify data processed within the sandboxed renderer, including manipulating page content or writing to accessible storage APIs.
Availability impact is high: the attacker can crash or destabilize the renderer process, taking down the affected browsing context.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against customer images within minutes of upstream publication, covering both standard Chrome base images and custom images built on Chromium. For environments running Chrome prior to 149.0.7827.53, a patched rebuild at the fix version is available. Customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for high-severity issues like this one, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard flags the affected images and routes the finding to the configured team inbox for manual review and upgrade.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available