HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11659Published Modified CNA Chrome

CVE-2026-11659: Integer overflow in UI in Google Chrome on Linux prior to 149

Integer overflow in UI in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
149.0.7827.103
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer overflow in the UI component of Google Chrome on Linux (versions prior to 149.0.7827.103) allows a remote attacker to trigger a sandbox escape by luring a user to a crafted HTML page. The vulnerability is reachable over the network with no authentication required, though the attacker must induce the victim to visit a malicious page. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact outside the Chrome sandbox, effectively enabling remote code execution on the host. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11659 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on Linux.

Available
Triage

Triage is available with the full CVSS v3.1 score of 9.6 (Critical) applied automatically, weighted against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within the customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a remotely hosted crafted HTML page, so the Chrome instance must be reachable in a browsing context exposed to attacker-controlled content.

  • AuthenticationNot required

    No account or credential is needed; the attacker only needs the victim to open a URL.

  • Victim interactionRequired

    The victim must visit a crafted HTML page, meaning the attacker must use phishing, malicious ads, or another social-engineering vector to get the user to browse to the page.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond victim interaction.

Blast Radius

  • The attacker escapes the Chrome renderer sandbox and gains code execution in the context of the browser process on the Linux host.
  • With sandbox escape achieved, the attacker reads files and secrets accessible to the user running Chrome, including stored credentials, session cookies, and local application data.
  • The attacker can write or modify files on the host filesystem within the user's permissions, enabling persistence or tampering with other applications.
  • The attacker can crash or destabilize the browser process and any dependent services, causing a denial of service for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11659 is active across all customer image scanning pipelines the moment the CVE was published, with no manual configuration required. For environments running a Chrome-on-Linux image below version 149.0.7827.103, a rebuilt image at the fixed version is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes the configured regression tests, and opens a pull request against affected workloads; for critical-severity issues, the median time from publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding appears in the vulnerability dashboard with CVSS 9.6 Critical severity and ownership routing so the responsible team can act immediately. As an interim compensating control before patching, consider restricting which container workloads have access to external browsing contexts and applying network policy to limit egress from Chrome-running containers to known-safe destinations.

See how HarborGuard automates this

Fix available

149.0.7827.103
Affected packages
  • Google / Chrome
    < 149.0.7827.103 (from 149.0.7827.103)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References