HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11651Published Modified CNA Chrome

CVE-2026-11651: Use after free in Network in Google Chrome prior to 149

Use after free in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.103
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Network component of Google Chrome (versions prior to 149.0.7827.103) allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a user to a crafted HTML page. The flaw is reachable over the network with no authentication required, but does require the victim to open a malicious page. Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, which combined with a secondary sandbox-escape primitive could lead to full host compromise. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Chrome security advisory and NVD) within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary. Any image containing a Chrome version below 149.0.7827.103 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.6 CRITICAL (CVSS v3.1) and surfaces it at the top of the affected-image queue; per-environment compliance policy weighting is applied to adjust priority based on exposure context, and the resulting alert is routed to the inbox configured for critical-severity findings inside each customer organization.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard as soon as a base image or application layer containing the fix is resolvable from upstream. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against each affected workload; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network; the victim's browser must be able to reach (or be directed to) an attacker-controlled or compromised web server.

  • AuthenticationNot required

    No account or credential of any kind is required; any unauthenticated remote party can serve the malicious page.

  • Victim interactionRequired

    The victim must open a crafted HTML page, meaning the attacker depends on phishing, a malicious ad, or another social-engineering vector to trigger the vulnerability.

  • Attack complexityDetail

    Attack complexity is Low: the exploit is reliable and requires no race-condition timing, specific memory layout, or other environmental preconditions beyond the victim visiting the page.

Blast Radius

  • The attacker achieves arbitrary code execution inside the Chrome renderer sandbox, enabling the attacker to read any data accessible to the renderer process such as in-memory session tokens and page content.
  • The attacker can modify renderer-controlled state and inject content into pages the victim is browsing, including injecting scripts or altering displayed data.
  • With code execution in the sandbox, a chained sandbox-escape exploit would grant the attacker full access to the host process, including all files and credentials accessible to the browser.
  • The browser process can be crashed or kept in a controlled state, disrupting the user's session and any browser-mediated workflows.

How HarborGuard Handles This

Available on HarborGuard: any image containing Chrome below 149.0.7827.103 is detectable and flagged at CRITICAL priority immediately after CVE ingestion. A rebuilt image at the fixed version (149.0.7827.103) becomes available for affected environments as soon as upstream layers resolve. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; at critical severity, the median time from publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not permitted by compliance policy, the flagged finding appears in the HarborGuard dashboard with remediation guidance so engineering teams can act manually. Because this vulnerability requires victim interaction via a browser, teams shipping container images that bundle Chrome (such as headless browser workers or test runners) should treat this as highest priority and apply the rebuild immediately.

See how HarborGuard automates this

Fix available

149.0.7827.103
Affected packages
  • Google / Chrome
    < 149.0.7827.103 (from 149.0.7827.103)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References