CVE-2026-11674: Use after free in Guest View in Google Chrome prior to 149
Use after free in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free in Guest View in Google Chrome (versions prior to 149.0.7827.103) allows a remote attacker to execute arbitrary code inside the Chrome sandbox by tricking a user into visiting a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, but does require the victim to open a malicious page. Successful exploitation gives the attacker arbitrary code execution within the browser sandbox, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at 149.0.7827.103 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome runtime. Any image carrying a Chrome version below 149.0.7827.103 is flagged automatically.
AvailableHarborGuard surfaces this CVE with its CVSS 3.1 score of 8.8 (HIGH), and per-environment compliance policy weighting can escalate or adjust priority before routing the finding to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.103 becomes available on HarborGuard the moment the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by hosting a crafted HTML page that the victim's browser fetches remotely.
- AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker can attempt the exploit.
- Victim interactionRequired
The victim must navigate to or open a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious ad.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.
Blast Radius
- Executes arbitrary code inside the Chrome renderer sandbox, giving the attacker a foothold within the browser process.
- Reads sensitive data accessible to the browser context, including session tokens, cached credentials, and page content from open tabs.
- Modifies browser state or data accessible within the sandbox, enabling tampering with rendered content or local storage.
- Crashes or destabilizes the affected Chrome process, causing denial of service for the user session.
How HarborGuard Handles This
Available on HarborGuard: any image containing Chrome below 149.0.7827.103 is matched against this CVE within minutes of ingestion and flagged as HIGH severity. A rebuilt image at the fixed version (149.0.7827.103) is available for affected environments. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs a regression test run against it, and opens a pull request against affected workloads automatically. For HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who review findings manually will find the CVE routed to the appropriate team inbox with CVSS score, affected image list, and fix-version details attached.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H