How is CVE-2026-11641 exploited?

Network reachability (required): The attacker delivers a crafted HTML page over the network, so the victim's browser must be able to reach attacker-controlled web content. Authentication (not-required): No account or credential is required from the attacker; the exploit is delivered through a web page with no prior authentication. Victim interaction (required): The victim must perform specific UI gestures on the crafted page, requiring the attacker to socially engineer the target into taking those actions. Attack complexity (info): Attack complexity is high, meaning successful exploitation depends on environmental factors or precise timing conditions beyond the attacker's direct control.

What is the impact of CVE-2026-11641?

The attacker achieves arbitrary code execution inside the Chrome browser process on the victim's Windows host. Confidential data accessible to the browser, including stored credentials, session tokens, and local files readable by the Chrome process, is exposed. The attacker can write or modify data accessible to the browser process, including cached content and profile data on disk. The browser process can be crashed or made to behave arbitrarily, disrupting the user's session and any dependent browser-hosted workloads.

Back to search

HIGHCVE-2026-11641Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11641: Use after free in Bluetooth in Google Chrome on Windows prior to 149

Use after free in Bluetooth in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Bluetooth component of Google Chrome on Windows, affecting all versions prior to 149.0.7827.103. The flaw is reachable over the network but requires a victim to perform specific UI gestures on a crafted HTML page, and no authentication is needed from the attacker. Successful exploitation gives the attacker arbitrary code execution in the context of the browser process. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11641 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using upstream feed ingestion from Chrome and Chromium advisory sources. This matching covers all customer registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers a crafted HTML page over the network, so the victim's browser must be able to reach attacker-controlled web content.
AuthenticationNot required
No account or credential is required from the attacker; the exploit is delivered through a web page with no prior authentication.
Victim interactionRequired
The victim must perform specific UI gestures on the crafted page, requiring the attacker to socially engineer the target into taking those actions.
Attack complexityDetail
Attack complexity is high, meaning successful exploitation depends on environmental factors or precise timing conditions beyond the attacker's direct control.

Blast Radius

The attacker achieves arbitrary code execution inside the Chrome browser process on the victim's Windows host.
Confidential data accessible to the browser, including stored credentials, session tokens, and local files readable by the Chrome process, is exposed.
The attacker can write or modify data accessible to the browser process, including cached content and profile data on disk.
The browser process can be crashed or made to behave arbitrarily, disrupting the user's session and any dependent browser-hosted workloads.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-11641 is active against all images that bundle Google Chrome for Windows, matched within minutes of CVE publication. For environments running an affected Chrome version (below 149.0.7827.103), a rebuilt image at the fixed version is available. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, execute a regression test run, and open a pull request against affected workloads automatically; for high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy requires manual approval, the finding is routed to the configured team inbox with full CVSS context and policy weighting attached.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available