How is CVE-2026-11649 exploited?

Network reachability (required): The attacker delivers the exploit over the network by hosting a crafted HTML page that the victim's browser fetches remotely. Authentication (not-required): No account or credential of any kind is needed; any visitor to the malicious page is a valid target. Victim interaction (required): The victim must visit the attacker-controlled HTML page, making this a social-engineering vector (phishing link, malicious ad, compromised site, etc.). Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no specific race condition, memory layout, or environmental prerequisite beyond the victim loading the page.

What is the impact of CVE-2026-11649?

The attacker gains arbitrary code execution inside the Chrome renderer sandbox, allowing JavaScript and native code to run at the renderer's privilege level. Confidential data accessible to the renderer, including page content, session cookies, and in-memory credentials for open tabs, can be read. Integrity of rendered content and local storage accessible to the sandbox can be modified by attacker-controlled code. A sandbox-escape primitive chained with this vulnerability enables full access to the underlying host process and its file system.

Back to search

HIGHCVE-2026-11649Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11649: Use after free in V8 in Google Chrome prior to 149

Use after free in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in V8, the JavaScript engine embedded in Google Chrome, allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a victim to a crafted HTML page. The flaw is reachable over the network and requires no authentication, only a single user interaction (visiting the malicious page). Successful exploitation gives the attacker code execution within the Chrome sandbox, which can be chained with a sandbox-escape to achieve full compromise. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11649 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (High) and weights it against each environment's compliance policy to determine urgency and routing, surfacing it to the appropriate team inbox inside each customer organization.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by hosting a crafted HTML page that the victim's browser fetches remotely.
AuthenticationNot required
No account or credential of any kind is needed; any visitor to the malicious page is a valid target.
Victim interactionRequired
The victim must visit the attacker-controlled HTML page, making this a social-engineering vector (phishing link, malicious ad, compromised site, etc.).
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no specific race condition, memory layout, or environmental prerequisite beyond the victim loading the page.

Blast Radius

The attacker gains arbitrary code execution inside the Chrome renderer sandbox, allowing JavaScript and native code to run at the renderer's privilege level.
Confidential data accessible to the renderer, including page content, session cookies, and in-memory credentials for open tabs, can be read.
Integrity of rendered content and local storage accessible to the sandbox can be modified by attacker-controlled code.
A sandbox-escape primitive chained with this vulnerability enables full access to the underlying host process and its file system.

How HarborGuard Handles This

Available on HarborGuard: any container image that packages a Chrome or Chromium binary older than 149.0.7827.103 is flagged immediately upon CVE ingestion. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the fixed version, executes a regression-test run, and opens a pull request against affected workloads; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation requires manual approval, the rebuilt image and PR are staged and waiting for reviewer sign-off. Teams that cannot update immediately should consider network-policy controls to restrict which workloads can reach external URLs, reducing the surface for socially-engineered delivery of the crafted HTML page.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available