How is CVE-2026-11655 exploited?

Network reachability (required): The attacker must reach the target over the network by serving a crafted HTML page to the victim's browser. Authentication (not-required): No credentials or prior account access are needed; the attack is available to any remote party. Victim interaction (required): The victim must navigate to or be redirected to a crafted HTML page, requiring a social-engineering step. Attack complexity (info): Exploitation is high complexity; the attacker must have already compromised the renderer process before leveraging this overflow, introducing a meaningful environmental prerequisite.

What is the impact of CVE-2026-11655?

Reads sensitive data from outside the Chrome sandbox, including stored credentials, session tokens, and files accessible to the browser process owner. Modifies files or system state outside the sandbox boundary on the affected macOS host. Crashes or disrupts services running on the host beyond the browser process itself. Achieves code execution in the context of the host OS user, enabling follow-on persistence or lateral movement.

Back to search

HIGHCVE-2026-11655Published 2026-06-08Modified 2026-06-10CNA Chrome

CVE-2026-11655: Integer overflow in Media in Google Chrome on Mac prior to 149

Integer overflow in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in the Media component of Google Chrome on macOS affects all versions prior to 149.0.7827.103. The vulnerability is reachable over the network but requires the attacker to have already compromised the renderer process and to trick a user into visiting a crafted HTML page; no credentials are needed. Successful exploitation enables a sandbox escape, giving the attacker code execution outside the browser sandbox with access to confidential data, the ability to modify system state, and the ability to disrupt the host. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11655 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registered registries and CI pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available

Triage

HarborGuard triage is capable of scoring this CVE at CVSS 8.3 HIGH and weighting it against each environment's compliance policy to prioritize routing; alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard the moment the fix version is confirmed in upstream advisory feeds. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target over the network by serving a crafted HTML page to the victim's browser.
AuthenticationNot required
No credentials or prior account access are needed; the attack is available to any remote party.
Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, requiring a social-engineering step.
Attack complexityDetail
Exploitation is high complexity; the attacker must have already compromised the renderer process before leveraging this overflow, introducing a meaningful environmental prerequisite.

Blast Radius

Reads sensitive data from outside the Chrome sandbox, including stored credentials, session tokens, and files accessible to the browser process owner.
Modifies files or system state outside the sandbox boundary on the affected macOS host.
Crashes or disrupts services running on the host beyond the browser process itself.
Achieves code execution in the context of the host OS user, enabling follow-on persistence or lateral movement.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11655 is active as soon as the advisory is ingested, covering any image that bundles an affected Chrome build on a macOS base layer. Where compliance policy permits, auto-remediation customers receive a rebuilt image at Chrome 149.0.7827.103, a regression test run against that image, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who have not opted into auto-remediation will see the CVE flagged in their scan results with a pinned fix version for manual action. Because exploitation requires a pre-compromised renderer, teams should also consider hardening renderer process isolation and reviewing any extensions or content policies that could facilitate an initial renderer compromise.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available