How is CVE-2026-11630 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page; the vulnerable service must be reachable from an external or network-adjacent origin. Authentication (not-required): No account or credential is needed; the attacker can target any user who browses to the malicious page without prior authentication. Victim interaction (required): The victim must open a crafted HTML page, meaning the attacker relies on phishing, malicious advertising, or another social-engineering vector to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-11630?

The attacker gains read access to heap memory in the Chrome renderer process, exposing in-memory session tokens, credentials, and page content. The attacker can write to freed heap memory, enabling arbitrary code execution within the renderer process sandbox. If a sandbox escape is chained, the attacker can execute code at the privilege level of the Chrome process on the host. The vulnerability can also be used to crash the Chrome process, disrupting the user's browsing session and any active web applications.

Back to search

HIGHCVE-2026-11630Published 2026-06-08Modified 2026-06-10CNA Chrome

CVE-2026-11630: Use after free in File Input in Google Chrome prior to 149

Use after free in File Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the File Input component of Google Chrome versions prior to 149.0.7827.103 allows a remote attacker to exploit heap corruption. The vulnerability is reachable over the network and requires no authentication, though it does require the victim to visit a crafted HTML page. Successful exploitation gives the attacker full read, write, and availability impact on the affected process, enabling arbitrary code execution or service disruption. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-11630 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome binary. Any image containing a Chrome version below 149.0.7827.103 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and weights it against each environment's compliance policy to determine routing priority. Triage results are delivered to the inbox or ticketing integration configured for the responsible team inside each customer org.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.103 becomes available in HarborGuard the moment the fix version is confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page; the vulnerable service must be reachable from an external or network-adjacent origin.
AuthenticationNot required
No account or credential is needed; the attacker can target any user who browses to the malicious page without prior authentication.
Victim interactionRequired
The victim must open a crafted HTML page, meaning the attacker relies on phishing, malicious advertising, or another social-engineering vector to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

The attacker gains read access to heap memory in the Chrome renderer process, exposing in-memory session tokens, credentials, and page content.
The attacker can write to freed heap memory, enabling arbitrary code execution within the renderer process sandbox.
If a sandbox escape is chained, the attacker can execute code at the privilege level of the Chrome process on the host.
The vulnerability can also be used to crash the Chrome process, disrupting the user's browsing session and any active web applications.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below 149.0.7827.103 are detected automatically within minutes of CVE publication, including Chrome bundled into custom base images. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at Chrome 149.0.7827.103, runs a regression test suite against the rebuilt image, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where compliance policy requires manual approval, the rebuilt image and a full triage report are queued and waiting for reviewer action. Customers who cannot update immediately should consider network-policy controls that restrict which origins Chrome-based workloads can load content from, reducing exposure until the patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available