HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11660Published Modified CNA Chrome

CVE-2026-11660: Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149

Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.103
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the New Tab Page component of Google Chrome (versions prior to 149.0.7827.103) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a specially crafted HTML page. The attack is reachable over the network, requires no authentication, but does need the victim to interact with a crafted page, and exploitation is conditional on first having a renderer compromise in place. Successful exploitation gives the attacker full read, write, and crash capability outside the sandbox, effectively achieving code execution at the host level. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-11660 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of upstream publication, including custom-built images that bundle a Chrome or Chromium binary. Any image in a customer registry or CI pipeline carrying a Chrome version below 149.0.7827.103 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.3 HIGH and can weight that score against each environment's compliance policy to determine urgency and routing. Triage findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard once the upstream fix is confirmed present in the base or application layer. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the targeted Chrome instance must be reachable or the user must browse to an attacker-controlled origin.

  • AuthenticationNot required

    No account or credential is needed; the attack is launched from an unauthenticated web context.

  • Victim interactionRequired

    The victim must visit or be redirected to the attacker-crafted HTML page, making social engineering or malicious ad delivery a prerequisite.

  • Attack complexityDetail

    Exploitation is rated AC:H, meaning the attacker must first have achieved renderer-process compromise before this sandbox escape becomes possible, introducing a significant prerequisite beyond simple delivery.

Blast Radius

  • Reads sensitive data from processes and memory regions outside the Chrome sandbox, including credentials, session tokens, and files accessible to the browser process user.
  • Writes or modifies files and system state outside the sandbox, enabling persistence mechanisms or tampering with local data.
  • Crashes or destabilizes processes outside the renderer, potentially taking down the entire browser or dependent host services.
  • Achieves arbitrary code execution at the privilege level of the host process, bypassing Chrome's primary security boundary entirely.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11660 is active across all connected registries and pipelines the moment the CVE entered the upstream feeds. For environments running a Chrome-bundled image below version 149.0.7827.103, a patched-image rebuild targeting 149.0.7827.103 is available. Where compliance policy permits, customers with auto-remediation enabled receive the full flow: rebuilt image, regression-test run, and a PR opened against affected workloads. Given the HIGH severity and CVSS 8.3 score, median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that cannot yet apply the patch, compensating controls include network-policy restrictions that limit which internal services can load arbitrary external URLs, egress filtering to reduce exposure to attacker-controlled origins, and disabling or sandboxing any workloads that invoke Chrome headlessly with untrusted input.

See how HarborGuard automates this

Fix available

149.0.7827.103
Affected packages
  • Google / Chrome
    < 149.0.7827.103 (from 149.0.7827.103)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References