How is CVE-2026-11639 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the victim's browser must be able to reach and load the attacker-controlled HTML page. Authentication (not-required): No account or credential is needed; the attacker only needs to get the victim to open a crafted URL. Victim interaction (required): The victim must actively open the crafted HTML page, making this a social-engineering vector such as a phishing link or malicious ad. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must win a race condition or arrange a specific memory layout to reliably trigger the use-after-free.

What is the impact of CVE-2026-11639?

A successful attacker achieves arbitrary code execution inside the Chrome renderer process on the victim's Mac. Confidential data accessible to the browser, including stored credentials, session tokens, and page content from other open tabs, can be read. Attacker-controlled code can write or modify files reachable by the browser process, including cached data and user-profile storage. Depending on sandbox posture, the foothold in the renderer can be chained with a sandbox-escape to gain broader host-level access.

Back to search

HIGHCVE-2026-11639Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11639: Use after free in Compositing in Google Chrome on Mac prior to 149

Use after free in Compositing in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Compositing component of Google Chrome on macOS allows a remote attacker to execute arbitrary code. The attacker must deliver a crafted HTML page and have the victim open it, but no authentication is required; the exploit works over the network with high attack complexity due to memory-layout timing requirements. Successful exploitation gives the attacker full code execution inside the Chrome renderer process, enabling data theft, file access, or further privilege escalation. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11639 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and build pipelines, including custom-built images that bundle a Chrome or Chromium runtime on macOS base layers.

Available

Triage

Triage is available with CVSS 7.5 HIGH scoring applied automatically, weighted against each customer organization's per-environment compliance policy, and routed to the appropriate team inbox based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.103 becomes available for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to reach and load the attacker-controlled HTML page.
AuthenticationNot required
No account or credential is needed; the attacker only needs to get the victim to open a crafted URL.
Victim interactionRequired
The victim must actively open the crafted HTML page, making this a social-engineering vector such as a phishing link or malicious ad.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must win a race condition or arrange a specific memory layout to reliably trigger the use-after-free.

Blast Radius

A successful attacker achieves arbitrary code execution inside the Chrome renderer process on the victim's Mac.
Confidential data accessible to the browser, including stored credentials, session tokens, and page content from other open tabs, can be read.
Attacker-controlled code can write or modify files reachable by the browser process, including cached data and user-profile storage.
Depending on sandbox posture, the foothold in the renderer can be chained with a sandbox-escape to gain broader host-level access.

How HarborGuard Handles This

Available on HarborGuard: any container image that bundles a Chrome or Chromium binary below version 149.0.7827.103 on a macOS-targeted layer is flagged automatically within minutes of the CVE entering upstream feeds. For customers who opt into auto-remediation, a rebuilt image at the fix version becomes available, a regression run is triggered against the new image, and a pull request is opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the flagged finding and rebuild candidate are routed to the configured team inbox for review. Customers without auto-remediation enabled can apply the fix by pinning Chrome to 149.0.7827.103 in their Dockerfile or base-image reference and triggering a manual rebuild through the HarborGuard pipeline.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available