CVE-2026-11637: Use after free in Views in Google Chrome on Mac prior to 149
Use after free in Views in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability affects the Views component of Google Chrome on macOS in versions prior to 149.0.7827.103. The bug is reachable over the network without any credentials, but requires a victim to visit a crafted HTML page. Successful exploitation gives an attacker arbitrary code execution on the victim's machine. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-11637 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome binary.
AvailableHarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to prioritize routing. Triage alerts are routable to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the service must be reachable from a remote origin.
- AuthenticationNot required
No account or credential of any kind is needed before the exploit executes.
- Victim interactionRequired
The victim must open or be redirected to an attacker-controlled HTML page, making social engineering or a malicious link a prerequisite.
- Attack complexityDetail
The exploit is reliable and condition-free once the victim visits the page; no race conditions or specific memory-layout prerequisites are required.
Blast Radius
- Attacker executes arbitrary native code in the context of the Chrome renderer process on the victim's Mac.
- With code execution in the renderer, an attacker can read files and session tokens accessible to the browser process.
- An attacker can write or modify data on the local filesystem within the browser's accessible scope.
- The compromised process can be used as a foothold for further lateral movement on the host system.
How HarborGuard Handles This
Available on HarborGuard: images containing a Chrome binary below 149.0.7827.103 on macOS base images are flagged immediately upon scan, and a rebuild against the patched version is made available. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes a regression run, and opens a pull request against affected workloads automatically; for high-severity issues like this one, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual sign-off, the triage alert is routed to the configured owner inbox with CVSS context and remediation steps attached. Customers who cannot immediately rebuild should consider network-policy controls that restrict which origins Chrome-based workloads can load content from, reducing exposure while the rebuild is reviewed.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H