CVE-2026-11645: Out of bounds read and write in V8 in Google Chrome prior to 149
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds read and write vulnerability exists in V8, the JavaScript engine embedded in Google Chrome versions prior to 149.0.7827.103. The flaw is reachable over the network and requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation gives a remote attacker arbitrary code execution inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-11645 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This coverage extends to custom-built images that bundle or ship a Chrome binary, not just upstream base images.
AvailableTriage is available with a CVSS v3.1 score of 8.8 (HIGH) applied automatically, weighted further by each customer organization's compliance policy to reflect environmental risk. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server.
- AuthenticationNot required
No account or credential is needed; the attacker requires only that the victim's browser loads the malicious page.
- Victim interactionRequired
The victim must navigate to or be redirected to the crafted HTML page, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Executes arbitrary code within the Chrome renderer sandbox, giving the attacker full control over the renderer process.
- Reads in-process memory, exposing session tokens, cached credentials, and page content loaded in the affected tab.
- Writes to in-process memory, enabling modification of page content, script execution context, or internal V8 structures.
- Crashes the renderer process if the attacker triggers the out-of-bounds access without a controlled payload, disrupting the browsing session.
How HarborGuard Handles This
Available on HarborGuard: images containing Chrome prior to 149.0.7827.103 are flagged automatically once the CVE enters the ingestion feed, and a rebuilt image at the fixed version is made available for affected environments. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression test run against it, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the dashboard with fix-version details and a direct link to the upstream Chromium security advisory so engineering teams can act on their own schedule.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H