How is CVE-2026-11648 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing a victim to a remotely hosted crafted HTML page, so the Chrome instance must be reachable to normal web browsing. Authentication (not-required): No account or credentials on the target system are required; any user who browses to the attacker-controlled page is a valid target. Victim interaction (required): A victim must actively open or be redirected to a crafted HTML page, making social engineering or malicious advertising the typical delivery mechanism. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

What is the impact of CVE-2026-11648?

Reads heap memory contents from the Chrome process, which can include stored session cookies, cached credentials, and page content from other open tabs. Writes to heap memory, allowing the attacker to modify application state or corrupt data structures inside the browser process. Enables arbitrary code execution within the Chrome renderer or browser process on the affected Windows host. Crashes the affected Chrome instance if the heap corruption is not steered into a controlled exploit, causing loss of unsaved browser state.

Back to search

HIGHCVE-2026-11648Published 2026-06-08Modified 2026-06-10CNA Chrome

CVE-2026-11648: Use after free in FullScreen in Google Chrome on Windows prior to 149

Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the FullScreen component of Google Chrome on Windows in versions prior to 149.0.7827.103. The flaw is reachable over the network without authentication, but requires a user to visit a crafted HTML page. Successful exploitation corrupts heap memory and gives an attacker the ability to read sensitive data, modify application state, or execute arbitrary code within the browser process. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11648 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This capability covers custom-built images that bundle Chrome or Chromium-based tooling alongside upstream base images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (High) and weighting it against each environment's compliance policy to determine urgency. Triage routing routes findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing a victim to a remotely hosted crafted HTML page, so the Chrome instance must be reachable to normal web browsing.
AuthenticationNot required
No account or credentials on the target system are required; any user who browses to the attacker-controlled page is a valid target.
Victim interactionRequired
A victim must actively open or be redirected to a crafted HTML page, making social engineering or malicious advertising the typical delivery mechanism.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

Reads heap memory contents from the Chrome process, which can include stored session cookies, cached credentials, and page content from other open tabs.
Writes to heap memory, allowing the attacker to modify application state or corrupt data structures inside the browser process.
Enables arbitrary code execution within the Chrome renderer or browser process on the affected Windows host.
Crashes the affected Chrome instance if the heap corruption is not steered into a controlled exploit, causing loss of unsaved browser state.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11648 is active across all connected registries and pipelines, matching any image that bundles an affected Chrome build below 149.0.7827.103. Where compliance policy permits, HarborGuard triggers a patched-image rebuild at 149.0.7827.103 automatically; for customers who opt into auto-remediation, that rebuild is followed by a regression run and a pull request opened against affected workloads, with a median time to merged patch PR of around 90 minutes for high-severity issues. Customers who manage remediation manually will find the finding surfaced in their HarborGuard dashboard with CVSS 8.8 scoring and policy-weighted priority to support their own triage workflow.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available