How is CVE-2026-11632 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the target's browser must be reachable via normal web browsing. Authentication (not-required): No account or credential is required; the attacker only needs the victim to visit a page they control. Victim interaction (required): The victim must perform specific UI gestures (such as interacting with browser tabs) on the attacker-crafted page, making social engineering a necessary part of the attack chain. Attack complexity (info): Exploitation is rated AC:H, meaning the attacker must account for timing, memory layout, or precise sequencing of UI interactions rather than firing a reliable, condition-free exploit.

What is the impact of CVE-2026-11632?

Attacker gains arbitrary code execution inside the Chrome browser process, able to run any code the browser can run. Reads browser-stored data including session cookies, saved passwords, and cached page content belonging to the victim. Modifies or exfiltrates data the browser can reach, including authenticated web sessions and local file access permitted by the browser. Crashes or destabilizes the browser process, disrupting the victim's active session and any open tabs.

Back to search

HIGHCVE-2026-11632Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11632: Use after free in TabStrip in Google Chrome prior to 149

Use after free in TabStrip in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in the TabStrip component of Google Chrome (versions prior to 149.0.7827.103) allows a remote attacker to execute arbitrary code on the victim's machine. The attacker reaches the target over the network but must convince the user to perform specific UI gestures on a crafted HTML page; no prior authentication or account is needed. Successful exploitation gives the attacker full code execution in the browser process, enabling data theft, tampering, or further system compromise. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11632 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This capability covers custom-built images that bundle a Chrome or Chromium binary, not just base images sourced from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and surfacing it with per-environment compliance policy weighting applied, so teams with stricter browser-component policies can receive an elevated priority signal. Triage findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.103 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the target's browser must be reachable via normal web browsing.
AuthenticationNot required
No account or credential is required; the attacker only needs the victim to visit a page they control.
Victim interactionRequired
The victim must perform specific UI gestures (such as interacting with browser tabs) on the attacker-crafted page, making social engineering a necessary part of the attack chain.
Attack complexityDetail
Exploitation is rated AC:H, meaning the attacker must account for timing, memory layout, or precise sequencing of UI interactions rather than firing a reliable, condition-free exploit.

Blast Radius

Attacker gains arbitrary code execution inside the Chrome browser process, able to run any code the browser can run.
Reads browser-stored data including session cookies, saved passwords, and cached page content belonging to the victim.
Modifies or exfiltrates data the browser can reach, including authenticated web sessions and local file access permitted by the browser.
Crashes or destabilizes the browser process, disrupting the victim's active session and any open tabs.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11632 is active across customer environments, matching images that bundle an affected Chrome binary as soon as the image is scanned or re-scanned after CVE publication. Where compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at Chrome 149.0.7827.103, run a regression test pass against the rebuilt image, and open a pull request targeting affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments that require manual approval before remediation, HarborGuard surfaces the finding in the triage queue with the CVSS 7.5 HIGH score and policy-weighted priority so the owning team can act immediately.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available