CVE-2026-11646: Use after free in ViewTransitions in Google Chrome prior to 149
Use after free in ViewTransitions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the ViewTransitions component of Google Chrome prior to version 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the Chrome sandbox. The attacker reaches the vulnerability over the network and requires no authentication, but does need the victim to visit a crafted HTML page. Successful exploitation grants the attacker code execution within the browser sandbox, which can be chained with a sandbox escape for deeper system compromise. A patched-image rebuild at 149.0.7827.103 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-11646 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary. Any image containing a Chrome version below 149.0.7827.103 is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 8.8 (High) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticketing integration configured for the relevant team inside each customer org.
AvailableA patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim's browser over the network by serving a crafted HTML page from a remote origin.
- AuthenticationNot required
No account or credential is needed; the attacker only needs the victim to load the malicious page.
- Victim interactionRequired
The victim must visit the attacker-controlled page, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout assumptions.
Blast Radius
- The attacker executes arbitrary code inside the Chrome renderer sandbox, gaining full control over the renderer process.
- Confidential data processed by the browser, including session tokens, cookies, and page contents, is readable by the attacker.
- The attacker can modify browser-managed state and data within the sandboxed process, including in-memory form data and cached resources.
- The renderer process can be crashed or held, disrupting the user's browsing session and any web application running in the affected tab.
How HarborGuard Handles This
Available on HarborGuard: any image that bundles Google Chrome below 149.0.7827.103 is matched against this CVE at ingest time and flagged for remediation. A rebuilt image at the fixed version (149.0.7827.103) is available for affected environments. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the flagged finding is routed to the configured owner with the CVSS 8.8 score and full vector context attached.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H