HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11679Published Modified CNA Chrome

CVE-2026-11679: Use after free in Codecs in Google Chrome on Windows prior to 149

Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.103
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free in the Codecs component of Google Chrome on Windows (versions prior to 149.0.7827.103) allows a remote attacker who has already compromised the renderer process to escape Chrome's sandbox via a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though it does require the victim to interact with a malicious page and depends on the attacker having renderer-level compromise in place first. Successful exploitation gives the attacker code execution outside the Chrome sandbox, effectively breaking out of the browser's primary containment boundary. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11679 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chromium or Chrome on Windows base layers. Any image in a customer registry or CI pipeline carrying a Chrome version below 149.0.7827.103 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.3 HIGH using the published CVSS v3.1 vector and weights the finding against each environment's compliance policy to determine escalation priority. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network by delivering a crafted HTML page, as indicated by AV:N in the CVSS vector.

  • AuthenticationNot required

    No authentication or account credentials are needed; the attacker interacts with the victim as an anonymous party, per PR:N.

  • Victim interactionRequired

    The victim must visit or render a crafted HTML page, meaning a social-engineering step (such as clicking a link or opening a file) is necessary, per UI:R.

  • Attack complexityDetail

    Attack complexity is rated High (AC:H), meaning the attacker must already have compromised the renderer process before this vulnerability can be used to escape the sandbox, introducing a significant prerequisite.

Blast Radius

  • A successful attacker breaks out of the Chrome sandbox on Windows, gaining code-execution capability at the privilege level of the browser process rather than the restricted renderer.
  • With sandbox escape achieved, the attacker can read files and credentials accessible to the Chrome process user account on the host.
  • The attacker can write or modify files on the host filesystem within the reach of that user account, enabling persistence mechanisms or tampering with local data.
  • Full integrity, confidentiality, and availability impact (C:H, I:H, A:H) means the attacker can also crash or destabilize the affected process and any dependent services.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all customer environments, matching container images that include Chrome on Windows against the affected version range below 149.0.7827.103. Where an affected image is identified, a rebuild at the patched version 149.0.7827.103 is available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run against the updated image, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Because exploitation requires a pre-existing renderer compromise as a prerequisite, teams that cannot update immediately should consider network-policy controls that restrict which origins Chrome-based containers can load, reducing the attack surface for the initial renderer compromise that this vulnerability builds on.

See how HarborGuard automates this

Fix available

149.0.7827.103
Affected packages
  • Google / Chrome
    < 149.0.7827.103 (from 149.0.7827.103)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References