HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11667Published Modified CNA Chrome

CVE-2026-11667: Out of bounds read in WebRTC in Google Chrome prior to 149

Out of bounds read in WebRTC in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the GPU process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
149.0.7827.103
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability in the WebRTC component of Google Chrome prior to version 149.0.7827.103 allows a remote attacker who has already compromised the GPU process to trigger heap corruption. The attack requires the victim to visit a crafted HTML page and is reachable over the network, though it requires no authentication and exploiting it involves meaningful complexity around prior GPU process compromise. Successful exploitation gives the attacker full read, write, and availability impact on the affected process, enabling data theft, data tampering, and service disruption. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11667 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium. No manual configuration is required for the initial match to surface.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) using the published v3.1 vector and applies per-environment compliance policy weighting to determine urgency and routing. Triage findings are delivered to the inbox or ticketing integration configured for the relevant team inside each customer organization.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the victim over the network by serving or directing them to a crafted HTML page hosted remotely.

  • AuthenticationNot required

    No account credentials or prior authentication to the target service are needed to deliver the exploit.

  • Victim interactionRequired

    The victim must navigate to or load a crafted HTML page, making this a social-engineering vector that requires the attacker to lure the user.

  • Attack complexityDetail

    Exploitation is rated High complexity because the attacker must first have compromised the Chrome GPU process before the out-of-bounds read can be leveraged for heap corruption.

Blast Radius

  • A successful attacker reads arbitrary heap memory from the compromised Chrome process, exposing in-memory session tokens, credentials, and page content.
  • The attacker writes to heap memory, allowing modification of internal Chrome process state and potentially injecting malicious data into rendered content.
  • The heap corruption can crash the affected Chrome process, disrupting the user's browsing session and any web-based application running within it.
  • Because Confidentiality, Integrity, and Availability are all rated High, the attacker achieves broad control over the compromised renderer context.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome versions below 149.0.7827.103 are flagged automatically when this CVE is matched during any scan cycle, whether images sit in a registry or pass through a build pipeline. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fixed version (149.0.7827.103), runs a regression test suite, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy restricts auto-remediation, the CVE surfaces in the triage queue with CVSS scoring and policy-weighted priority so the responsible team can act manually. Because this exploit requires a pre-compromised GPU process as a prerequisite, teams that cannot immediately rebuild may reduce risk by applying network-policy isolation to restrict what Chrome-bearing workloads can reach, limiting the attacker's ability to serve or retrieve crafted pages in sensitive environments.

See how HarborGuard automates this

Fix available

149.0.7827.103
Affected packages
  • Google / Chrome
    < 149.0.7827.103 (from 149.0.7827.103)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References