How is CVE-2026-11635 exploited?

Network reachability (required): The attacker delivers the exploit over the network via a crafted HTML page, so the victim's browser must be reachable and navigating to attacker-controlled content. Authentication (not-required): No account or credential is needed on the target system; the attack is initiated entirely from the attacker side through a crafted page. Victim interaction (required): The victim must visit a crafted HTML page, making this a social-engineering-dependent attack that requires the user to take an action. Attack complexity (info): Attack complexity is high, meaning the attacker must already hold a compromised renderer process as a precondition before the use-after-free can be leveraged for sandbox escape.

What is the impact of CVE-2026-11635?

Attacker escapes the Chrome sandbox and executes arbitrary code in the context of the host macOS user process. Reads files, credentials, and session data accessible to the logged-in macOS user outside the browser sandbox. Writes or modifies files on the host filesystem, enabling persistence or further lateral movement. Crashes or destabilizes the Chrome process and any dependent services, disrupting availability.

Back to search

HIGHCVE-2026-11635Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11635: Use after free in Bluetooth in Google Chrome on Mac prior to 149

Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in the Bluetooth component of Google Chrome on macOS, affecting all Chrome versions prior to 149.0.7827.103. The vulnerability is reachable over the network but requires victim interaction and high attack complexity, and is exploitable only by an attacker who has already compromised the Chrome renderer process. Successful exploitation enables a sandbox escape, giving the attacker full read, write, and availability impact outside the browser's security boundary. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11635 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle Chrome on macOS base layers, not just official upstream images.

Available

Triage

HarborGuard scores this CVE at 8.3 HIGH (CVSS v3.1) and weights it further against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard for any image found running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network via a crafted HTML page, so the victim's browser must be reachable and navigating to attacker-controlled content.
AuthenticationNot required
No account or credential is needed on the target system; the attack is initiated entirely from the attacker side through a crafted page.
Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering-dependent attack that requires the user to take an action.
Attack complexityDetail
Attack complexity is high, meaning the attacker must already hold a compromised renderer process as a precondition before the use-after-free can be leveraged for sandbox escape.

Blast Radius

Attacker escapes the Chrome sandbox and executes arbitrary code in the context of the host macOS user process.
Reads files, credentials, and session data accessible to the logged-in macOS user outside the browser sandbox.
Writes or modifies files on the host filesystem, enabling persistence or further lateral movement.
Crashes or destabilizes the Chrome process and any dependent services, disrupting availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11635 is active in the ingestion pipeline and matches any container image bundling a pre-149.0.7827.103 Chrome binary on a macOS-targeting layer. Because this is rated HIGH (8.3) with a scope-changed CVSS vector, it is prioritized in triage routing and surfaced immediately in the affected environment's finding feed. A patched-image rebuild at Chrome 149.0.7827.103 is available for qualifying images. For customers who opt into auto-remediation, HarborGuard queues a rebuild, executes the configured regression tests, and opens a patch PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers not using auto-remediation can pull the rebuild manually from the HarborGuard artifact store and apply it through their standard change process.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available