How is CVE-2026-11644 exploited?

Network reachability (required): The attacker delivers the malicious extension payload over the network, so the host running Chrome must be reachable or the user must be reachable via web-based distribution. Authentication (not-required): No account or credential on the target system is required; the attack is initiated entirely through user-side extension installation. Victim interaction (required): The victim must be persuaded to install a crafted malicious Chrome extension, making this a social-engineering-dependent attack. Attack complexity (info): CVSS rates this AC:H, indicating the exploit depends on environmental factors or conditions beyond simple delivery, such as specific memory layout or timing within the Chrome renderer.

What is the impact of CVE-2026-11644?

An attacker gains arbitrary code execution within the Chrome process on the affected Linux host, with access to everything Chrome can read in that user session. Confidential browser data including stored credentials, session cookies, and browsing history is exposed to the attacker. The attacker can write to or modify files and resources accessible to the Chrome process under the logged-in user account. The Chrome process and any dependent browser functionality can be crashed or destabilized, disrupting the user session.

Back to search

HIGHCVE-2026-11644Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11644: Use after free in Views in Google Chrome on Linux prior to 149

Use after free in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in the Views component of Google Chrome on Linux affects all versions prior to 149.0.7827.103. The flaw is reachable over the network but requires the victim to install a malicious Chrome extension, and no prior authentication is needed. Successful exploitation gives an attacker arbitrary code execution inside the Chrome process on the affected Linux host. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11644 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the Chrome release advisory. Coverage extends to custom-built images that bundle a Chrome or Chromium binary below the fix version.

Available

Triage

Triage is available with the CVSS v3.1 score of 7.5 (HIGH) applied to each matched image, weighted further by per-environment compliance policy settings. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious extension payload over the network, so the host running Chrome must be reachable or the user must be reachable via web-based distribution.
AuthenticationNot required
No account or credential on the target system is required; the attack is initiated entirely through user-side extension installation.
Victim interactionRequired
The victim must be persuaded to install a crafted malicious Chrome extension, making this a social-engineering-dependent attack.
Attack complexityDetail
CVSS rates this AC:H, indicating the exploit depends on environmental factors or conditions beyond simple delivery, such as specific memory layout or timing within the Chrome renderer.

Blast Radius

An attacker gains arbitrary code execution within the Chrome process on the affected Linux host, with access to everything Chrome can read in that user session.
Confidential browser data including stored credentials, session cookies, and browsing history is exposed to the attacker.
The attacker can write to or modify files and resources accessible to the Chrome process under the logged-in user account.
The Chrome process and any dependent browser functionality can be crashed or destabilized, disrupting the user session.

How HarborGuard Handles This

Available on HarborGuard: any image containing Google Chrome below version 149.0.7827.103 on Linux is flagged against this CVE within minutes of advisory ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression check, and opens a PR against affected workloads; for HIGH and CRITICAL severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding appears in the team inbox with the CVSS 7.5 HIGH score and remediation target pre-populated. Given the social-engineering delivery path, customers may also consider supplementing the patch with extension-allowlist policies enforced at the platform level to reduce the attack surface while a rebuild is staged.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available