CVE-2026-11662: Type Confusion in Bindings in Google Chrome prior to 149
Type Confusion in Bindings in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A type confusion vulnerability in the Bindings layer of Google Chrome prior to version 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the browser sandbox. The vulnerability is reachable over the network and requires no authentication, but the victim must visit a crafted HTML page. Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, which can be chained with a sandbox escape to achieve broader compromise. A patched-image rebuild at 149.0.7827.103 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chrome or Chromium binary. Any image carrying a Chrome version below 149.0.7827.103 is flagged immediately.
AvailableHarborGuard scores this CVE at CVSS 8.8 (High) and weights it against each environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard as soon as the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely.
- AuthenticationNot required
No account or credentials are needed; any unauthenticated remote attacker can attempt the exploit.
- Victim interactionRequired
The victim must visit or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.
Blast Radius
- The attacker achieves arbitrary code execution inside the Chrome renderer sandbox.
- Confidential data accessible to the renderer, such as page content, stored credentials, and session tokens visible to the browser process, can be read.
- The attacker can modify in-page data and interact with web origins loaded in the compromised renderer.
- A successful sandbox escape chained to this vulnerability would grant full access to the underlying host user account and its files and processes.
How HarborGuard Handles This
Available on HarborGuard: images containing Chrome versions below 149.0.7827.103 are detected automatically on every scan cycle and flagged as High severity. A patched rebuild targeting 149.0.7827.103 is made available as soon as the upstream package is confirmed. For customers who opt into auto-remediation, HarborGuard queues the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where compliance policy requires manual approval, the finding is routed to the configured owner inbox with full CVSS context and a direct link to the available patched rebuild.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H