CVE-2026-11657: Use after free in Payments in Google Chrome on Mac prior to 149
Use after free in Payments in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free vulnerability in the Payments component of Google Chrome on macOS affects all Chrome versions prior to 149.0.7827.103. The flaw is reachable over the network and requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation gives the attacker arbitrary code execution in the context of the browser process. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-11657 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Chrome on macOS base layers. Any image carrying a Chrome version below 149.0.7827.103 is flagged automatically.
AvailableTriage is available with a CVSS v3.1 score of 8.8 (HIGH) applied to every matched image, weighted further by each customer environment's compliance policy to determine priority. Findings are routed to the appropriate team inbox within the customer org based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard the moment the fix version is confirmed in upstream feeds. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the victim's browser must be able to reach an attacker-controlled or compromised web server.
- AuthenticationNot required
No account or credential of any kind is needed; any user browsing to the crafted page is a valid target.
- Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering or drive-by delivery scenario requiring at least one click or navigation action.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- The attacker gains arbitrary code execution inside the Chrome browser process on the victim's macOS host.
- Confidentiality impact is high: the attacker can read browser memory, stored credentials, session tokens, autofill data including payment card details, and files accessible to the browser process.
- Integrity impact is high: the attacker can write or modify data in the browser process, plant files, or pivot to other browser-accessible storage.
- Availability impact is high: the attacker can crash or hang the browser process, and may use code execution to disrupt or destroy broader host resources.
How HarborGuard Handles This
Available on HarborGuard: any image bundling Google Chrome below 149.0.7827.103 on a macOS base layer is detectable and flagged immediately upon CVE ingestion. Where compliance policy permits, a rebuilt image at the fixed version is prepared and a regression run is triggered; for customers with auto-remediation enabled, a pull request is opened against affected workloads with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues. Customers who have not enabled auto-remediation receive a prioritized finding in their HarborGuard dashboard with the pinned fix version and affected image digest listed for manual action.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H