How is CVE-2026-11643 exploited?

Network reachability (required): The attacker must reach the target over the network by delivering malicious traffic to a browser session exposed to untrusted network content. Authentication (not-required): No account or credential of any privilege level is needed to deliver the exploit payload. Victim interaction (not-required): The exploit is delivered through network traffic without requiring the user to click, open a file, or take any other action. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must satisfy specific conditions such as race conditions or precise memory layout requirements that are not fully under attacker control.

What is the impact of CVE-2026-11643?

The attacker executes arbitrary code in the context of the Chrome browser process on the target host. Confidential data accessible to the browser, including stored credentials, session tokens, and browsing history, is exposed. The attacker can modify browser state, write files accessible to the browser process, or pivot to other resources the browser can reach. The browser process can be crashed or rendered inoperable, denying service to the affected user.

Back to search

HIGHCVE-2026-11643Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11643: Use after free in Proxy in Google Chrome prior to 149

Use after free in Proxy in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Proxy component of Google Chrome prior to version 149.0.7827.103 allows a remote attacker to execute arbitrary code by sending malicious network traffic to the browser. The vulnerability is reachable over the network without any authentication or user interaction, though exploitation requires overcoming high attack complexity conditions. Successful exploitation gives the attacker full code execution in the context of the browser process, enabling data theft, tampering, and service disruption. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11643 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed ingestion, including custom-built images that bundle a Chrome or Chromium binary. Coverage applies regardless of whether the image was pulled from a public registry or built internally.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy to prioritize routing. Findings are surfaced to the appropriate team inbox within each customer organization based on policy-defined severity thresholds and ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.103 is available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target over the network by delivering malicious traffic to a browser session exposed to untrusted network content.
AuthenticationNot required
No account or credential of any privilege level is needed to deliver the exploit payload.
Victim interactionNot required
The exploit is delivered through network traffic without requiring the user to click, open a file, or take any other action.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must satisfy specific conditions such as race conditions or precise memory layout requirements that are not fully under attacker control.

Blast Radius

The attacker executes arbitrary code in the context of the Chrome browser process on the target host.
Confidential data accessible to the browser, including stored credentials, session tokens, and browsing history, is exposed.
The attacker can modify browser state, write files accessible to the browser process, or pivot to other resources the browser can reach.
The browser process can be crashed or rendered inoperable, denying service to the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11643 is active across all connected registries and pipelines, matching any image layer that includes a Chrome or Chromium binary below version 149.0.7827.103. Because this is a HIGH-severity issue with a confirmed fix version, a rebuilt image at 149.0.7827.103 is made available immediately upon detection. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS detail and remediation context attached.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available