How is CVE-2026-11301 exploited?

Network reachability (required): The attacker delivers malicious network traffic to a victim over the internet, so the service must be reachable from the attacker's network position. Authentication (not-required): No account or credential is needed; the attacker can initiate the attack as an unauthenticated party. Victim interaction (required): The victim must interact with attacker-controlled content, such as visiting a crafted page or processing a malicious media stream, making social engineering a prerequisite. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-11301?

A successful attacker reads memory contents outside intended buffer boundaries, which exposes sensitive in-process data such as credentials, tokens, or cached page content. The attacker writes to or corrupts out-of-bounds memory, allowing modification of browser state or injected code paths. The attacker can crash the Chrome renderer or browser process, disrupting the victim's session and any dependent workloads.

Back to search

HIGHCVE-2026-11301Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11301: Inappropriate implementation in LiveCaption in Google Chrome prior to 149

Inappropriate implementation in LiveCaption in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via malicious network traffic. (Chromium security severity: Low)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An inappropriate implementation flaw in the LiveCaption feature of Google Chrome prior to version 149.0.7827.53 allows a remote attacker to trigger out-of-bounds memory access by sending malicious network traffic to a victim. Exploitation requires the victim to interact with attacker-controlled content, but no authentication is needed on the attacker's side. Successful exploitation gives the attacker read access to sensitive memory, the ability to tamper with memory contents, and the ability to crash or destabilize the browser process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11301 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically once a match is confirmed.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard as soon as the upstream fix is confirmed in the advisory record. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers malicious network traffic to a victim over the internet, so the service must be reachable from the attacker's network position.
AuthenticationNot required
No account or credential is needed; the attacker can initiate the attack as an unauthenticated party.
Victim interactionRequired
The victim must interact with attacker-controlled content, such as visiting a crafted page or processing a malicious media stream, making social engineering a prerequisite.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

A successful attacker reads memory contents outside intended buffer boundaries, which exposes sensitive in-process data such as credentials, tokens, or cached page content.
The attacker writes to or corrupts out-of-bounds memory, allowing modification of browser state or injected code paths.
The attacker can crash the Chrome renderer or browser process, disrupting the victim's session and any dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: images containing a Chrome or Chromium binary below version 149.0.7827.53 are flagged automatically as each customer's registry and pipeline inventory is scanned. Where compliance policy permits, a rebuilt image at the patched version is made available immediately; for customers with auto-remediation enabled, HarborGuard can deliver a rebuilt image, a regression test run, and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in those environments. Customers who prefer manual review will find the CVE surfaced in their triage queue with full CVSS context and a direct link to the Chrome 149.0.7827.53 release notes.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available