How is CVE-2026-11636 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the targeted Chrome instance must be reachable from or directed to an attacker-controlled origin. Authentication (not-required): No authentication is needed; any unauthenticated remote attacker can serve the malicious page. Victim interaction (required): The user must be convinced to perform specific UI gestures (for example, interacting with Autofill prompts) on the attacker-crafted page, making social engineering a prerequisite. Attack complexity (info): Attack complexity is rated High, meaning the attacker must account for race conditions or precise heap-layout factors to reliably trigger the use-after-free and achieve controlled corruption.

What is the impact of CVE-2026-11636?

Reads sensitive data held in the browser process, including stored Autofill field contents such as addresses and payment details rendered in the active session. Writes arbitrary data into heap memory, enabling the attacker to overwrite internal browser structures and redirect code execution. Crashes the affected Chrome renderer or browser process, disrupting the user's session and any in-flight transactions. Achieves arbitrary code execution within the browser process under the privileges of the logged-in Windows user, enabling further host-level actions.

Back to search

HIGHCVE-2026-11636Published 2026-06-08Modified 2026-06-10CNA Chrome

CVE-2026-11636: Use after free in Autofill in Google Chrome on Windows prior to 149

Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Autofill component of Google Chrome on Windows (versions prior to 149.0.7827.103) allows a remote attacker to corrupt heap memory. Exploitation requires convincing a user to perform specific UI gestures on a crafted HTML page, and the attack must be delivered over the network under conditions that add some complexity. Successful exploitation gives the attacker full read, write, and crash capability over the affected process. A patched-image rebuild at 149.0.7827.103 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome on Windows base layers. Any image carrying a Chrome version below 149.0.7827.103 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to produce a prioritized finding routed to the appropriate team inbox inside the customer org.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the targeted Chrome instance must be reachable from or directed to an attacker-controlled origin.
AuthenticationNot required
No authentication is needed; any unauthenticated remote attacker can serve the malicious page.
Victim interactionRequired
The user must be convinced to perform specific UI gestures (for example, interacting with Autofill prompts) on the attacker-crafted page, making social engineering a prerequisite.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must account for race conditions or precise heap-layout factors to reliably trigger the use-after-free and achieve controlled corruption.

Blast Radius

Reads sensitive data held in the browser process, including stored Autofill field contents such as addresses and payment details rendered in the active session.
Writes arbitrary data into heap memory, enabling the attacker to overwrite internal browser structures and redirect code execution.
Crashes the affected Chrome renderer or browser process, disrupting the user's session and any in-flight transactions.
Achieves arbitrary code execution within the browser process under the privileges of the logged-in Windows user, enabling further host-level actions.

How HarborGuard Handles This

Available on HarborGuard: any container image that bundles Google Chrome on a Windows base layer at a version below 149.0.7827.103 is matched against this CVE within minutes of ingest. For customers who opt into auto-remediation, HarborGuard will trigger a rebuild pinned to 149.0.7827.103, execute the configured regression tests, and open a pull request against affected workloads; for high-severity issues, median time from publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, the finding is surfaced as a prioritized alert routed to the team inbox defined in the customer's policy configuration. In either case, HarborGuard continues re-evaluating the image on each ingest cycle so that remediation status stays current as base images are rebuilt.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available