HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11652Published Modified CNA Chrome

CVE-2026-11652: Use after free in Extensions in Google Chrome prior to 149

Use after free in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.103
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Extensions component of Google Chrome prior to version 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to escape Chrome's sandbox by delivering a crafted HTML page. The attack requires no special privileges but does require the victim to visit or interact with attacker-controlled content, and the attacker must also have pre-compromised the renderer. Successful exploitation gives the attacker full read, write, and denial-of-service capability beyond the browser sandbox, effectively breaking the primary security boundary between web content and the underlying host. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11652 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary. Any image with a Chrome version below 149.0.7827.103 is flagged automatically as part of each pipeline scan.

Available
Triage

HarborGuard surfaces CVE-2026-11652 with its CVSS v3.1 score of 8.3 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. The resulting finding is delivered to the appropriate team inbox inside each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available through HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network by serving a crafted HTML page from a remote location, making the service's network exposure a prerequisite.

  • AuthenticationNot required

    No account or credential is needed; the attack is reachable by any unauthenticated remote party who can get the victim to load content.

  • Victim interactionRequired

    The victim must visit or otherwise load the attacker-crafted HTML page, making a social-engineering or malicious-link delivery step necessary.

  • Attack complexityDetail

    Attack complexity is HIGH, meaning the attacker must first have compromised the renderer process through a separate exploit before this sandbox-escape step can be attempted, introducing an environmental dependency beyond the attacker's direct control.

Blast Radius

  • An attacker who successfully escapes the sandbox reads arbitrary data accessible to the Chrome process, including stored session tokens, credentials, and profile data.
  • The attacker gains the ability to write to file system locations and modify data accessible outside the browser sandbox.
  • Full compromise of sandbox isolation means the attacker can execute code at the privilege level of the browser process on the host operating system.
  • The attacker can crash or destabilize the browser process, causing a denial of service for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11652 is active across all scanning environments the moment the CVE enters upstream feeds, covering any image that ships Chrome below 149.0.7827.103. Where a customer's compliance policy permits auto-remediation, HarborGuard triggers a rebuild against the fixed version (149.0.7827.103), runs a regression test suite, and opens a pull request against affected workloads; for high-severity issues, median time from publication to merged PR is around 90 minutes. Customers who have not yet enabled auto-remediation will see the finding routed to their configured team inbox with full CVSS context and a direct reference to the fix version, enabling manual remediation decisions without additional research.

See how HarborGuard automates this

Fix available

149.0.7827.103
Affected packages
  • Google / Chrome
    < 149.0.7827.103 (from 149.0.7827.103)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References