How is CVE-2026-11647 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page, making network exposure a prerequisite. Authentication (not-required): No authentication is required; the attacker needs only to direct the victim to a malicious page. Victim interaction (required): The victim must visit a crafted HTML page, meaning the attacker depends on a social-engineering or redirect step to trigger the vulnerability. Attack complexity (info): Attack complexity is high because the attacker must have already independently compromised the Chrome renderer process before this flaw can be leveraged for a sandbox escape.

What is the impact of CVE-2026-11647?

Achieves a sandbox escape, breaking out of Chrome's renderer isolation boundary on the affected Android device. Reads sensitive data accessible to the elevated process context, including stored credentials, session tokens, and local application data. Modifies files and application state outside the renderer sandbox, enabling persistent tampering with device storage or installed app data. Crashes or destabilizes the Chrome process or dependent system services, disrupting availability for the affected user.

Back to search

HIGHCVE-2026-11647Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11647: Use after free in Printing in Google Chrome on Android prior to 149

Use after free in Printing in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Printing component of Google Chrome on Android, affecting versions prior to 149.0.7827.103. The flaw is reachable over the network but requires the attacker to have already compromised the Chrome renderer process and to lure a victim into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker code execution outside the renderer's security boundary with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11647 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built Android-based Chrome container images. Coverage applies to images in customer registries and active CI/CD pipelines without any manual configuration required.

Available

Triage

HarborGuard is capable of surfacing this CVE with its CVSS v3.1 score of 8.3 (High) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to deliver the finding to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard is capable of triggering a rebuild, running regression tests, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page, making network exposure a prerequisite.
AuthenticationNot required
No authentication is required; the attacker needs only to direct the victim to a malicious page.
Victim interactionRequired
The victim must visit a crafted HTML page, meaning the attacker depends on a social-engineering or redirect step to trigger the vulnerability.
Attack complexityDetail
Attack complexity is high because the attacker must have already independently compromised the Chrome renderer process before this flaw can be leveraged for a sandbox escape.

Blast Radius

Achieves a sandbox escape, breaking out of Chrome's renderer isolation boundary on the affected Android device.
Reads sensitive data accessible to the elevated process context, including stored credentials, session tokens, and local application data.
Modifies files and application state outside the renderer sandbox, enabling persistent tampering with device storage or installed app data.
Crashes or destabilizes the Chrome process or dependent system services, disrupting availability for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-11647 is active for all customer images matched against the affected Chrome version range, with findings surfaced at CVSS 8.3 (High). Where compliance policy permits, auto-remediation is capable of initiating a rebuild at the fixed version 149.0.7827.103, running a regression test suite, and opening a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. For customers who prefer manual remediation, HarborGuard surfaces the finding with full fix-version detail so engineering teams can prioritize the upgrade promptly. Because this vulnerability requires a pre-compromised renderer as a prerequisite, teams unable to update immediately should also consider network-policy controls that restrict outbound connections from Chrome-based container workloads, reducing attacker reach if a renderer compromise occurs.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available