CVE-2026-11633: Use after free in Bluetooth in Google Chrome on Mac prior to 149
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free vulnerability in the Bluetooth stack of Google Chrome on macOS affects all Chrome versions prior to 149.0.7827.103. The flaw is reachable over the network and requires no authentication, but does require the victim to interact with a malicious peripheral or crafted content delivered through one. Successful exploitation gives an attacker full remote code execution on the affected host. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.
AvailableHarborGuard scores this CVE at CVSS 8.8 HIGH and weights it further against each environment's compliance policy, then routes the finding to the appropriate team inbox within the affected customer org.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.103 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the regression test suite against the new image, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network, so the affected Chrome instance must be reachable or browsing content served from a remote source.
- AuthenticationNot required
No account or credential is needed; the attacker requires no prior authentication to the target system.
- Victim interactionRequired
The victim must interact with a malicious peripheral or attacker-controlled content, making this a social-engineering or physical-peripheral delivery vector.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other unpredictable environmental factors.
Blast Radius
- Attacker achieves remote code execution and can run arbitrary processes under the Chrome renderer or browser process account.
- Confidential data accessible to the browser, including stored credentials, cookies, and session tokens, can be read directly.
- Files and data accessible to the logged-in user account can be modified or deleted by the attacker's injected code.
- The affected Chrome process and dependent services can be crashed or destabilized, disrupting the user's session.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image that bundles a Chrome version below 149.0.7827.103 on a macOS base layer. A rebuilt image at the fix version (149.0.7827.103) is available for affected environments. For customers with auto-remediation enabled, HarborGuard handles the full flow: rebuild the image at the patched version, run regression tests, and open a pull request against affected workloads. For high-severity CVEs, the median time from publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who have not enabled auto-remediation will see the finding surfaced in their HarborGuard dashboard with fix-version details and affected image inventory, enabling manual triage and upgrade planning.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H