HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11663Published Modified CNA Chrome

CVE-2026-11663: Use after free in Skia in Google Chrome prior to 149

Use after free in Skia in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.103
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free in the Skia graphics library within Google Chrome (versions prior to 149.0.7827.103) can be reached by a remote attacker over the network, requiring no authentication but needing the victim to visit a crafted HTML page, and only exploitable after the attacker has already compromised the renderer process. Successful exploitation enables a sandbox escape, granting the attacker capabilities beyond the normally isolated renderer context, including high-impact access to confidentiality, integrity, and availability of the host. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11663 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome or Chromium. Coverage extends to both registry scans and in-pipeline image checks at build time.

Available
Triage

HarborGuard scores this CVE at 8.3 HIGH using the CVSS v3.1 vector and weighs it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any environment found to be running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable in a browsing context exposed to attacker-controlled content.

  • AuthenticationNot required

    No credentials or authenticated session are needed; the attacker only requires the ability to serve or link to a crafted page.

  • Victim interactionRequired

    The victim must visit or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.

  • Attack complexityDetail

    Attack complexity is high because exploitation requires a prior renderer-process compromise as a prerequisite, meaning the attacker must chain this bug with a separate renderer vulnerability rather than exploiting it in isolation.

Blast Radius

  • Escapes the Chrome sandbox, breaking out of the renderer isolation boundary and gaining access to the underlying host process context.
  • Reads sensitive data accessible to the browser process, including stored credentials, cookies, and session tokens.
  • Modifies files or state accessible to the browser process, enabling tampering with local data or browser configuration.
  • Crashes or destabilizes the browser process, causing denial of service to the affected user session.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome versions below 149.0.7827.103 are flagged automatically as this CVE is ingested from upstream feeds, with no manual scan trigger needed. Where compliance policy permits auto-remediation, HarborGuard initiates a rebuild against Chrome 149.0.7827.103, runs regression checks on the resulting image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the CVE appears in the triage queue with full CVSS context so engineering teams can act on their own schedule. Because exploitation requires a prior renderer compromise, teams should also consider whether their deployment exposes Chrome to untrusted content in a way that raises the practical risk, and network-policy controls that restrict what a compromised renderer can reach can serve as a compensating control while a rebuild is in progress.

See how HarborGuard automates this

Fix available

149.0.7827.103
Affected packages
  • Google / Chrome
    < 149.0.7827.103 (from 149.0.7827.103)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References