How is CVE-2026-11681 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server. Authentication (not-required): No account, session token, or credential of any kind is needed to serve the malicious page or trigger the vulnerability. Victim interaction (required): The targeted user must open the crafted HTML page in the affected browser, making this a social-engineering or drive-by scenario requiring at least one click or navigation action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization outcomes, or other variable environmental factors.

What is the impact of CVE-2026-11681?

Reads browser memory contents, including stored session tokens, saved credentials, and cached page data belonging to the affected user. Writes to heap memory in the browser process, allowing an attacker to corrupt internal structures and potentially redirect code execution. Crashes the affected Chrome browser process on Linux, causing immediate loss of all open tabs and in-progress work for the user. Combines read and write primitives to achieve arbitrary code execution within the browser's renderer or GPU process security boundary.

Back to search

HIGHCVE-2026-11681Published 2026-06-08Modified 2026-06-10CNA Chrome

CVE-2026-11681: Use after free in Ozone in Google Chrome on Linux prior to 149

Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Ozone display subsystem of Google Chrome on Linux affects all Chrome versions prior to 149.0.7827.103. The flaw is reachable over the network without authentication, but requires a user to visit a crafted HTML page, giving an attacker a path to heap corruption. Successful exploitation grants full read, write, and crash capabilities over the affected browser process. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11681 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built images, within minutes of upstream publication. Any image packaging a Linux-based Chrome build below 149.0.7827.103 is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

Triage is available with the full CVSS 3.1 score of 8.8 (High) applied to each finding, weighted against the compliance policy configured for the customer environment. Findings are routed to the inbox or ticketing integration configured for the relevant team within each organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.103 becomes available the moment HarborGuard ingests the fix-version record. For customers with auto-remediation enabled, HarborGuard runs the rebuild, executes a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server.
AuthenticationNot required
No account, session token, or credential of any kind is needed to serve the malicious page or trigger the vulnerability.
Victim interactionRequired
The targeted user must open the crafted HTML page in the affected browser, making this a social-engineering or drive-by scenario requiring at least one click or navigation action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization outcomes, or other variable environmental factors.

Blast Radius

Reads browser memory contents, including stored session tokens, saved credentials, and cached page data belonging to the affected user.
Writes to heap memory in the browser process, allowing an attacker to corrupt internal structures and potentially redirect code execution.
Crashes the affected Chrome browser process on Linux, causing immediate loss of all open tabs and in-progress work for the user.
Combines read and write primitives to achieve arbitrary code execution within the browser's renderer or GPU process security boundary.

How HarborGuard Handles This

Available on HarborGuard: any container image packaging Google Chrome for Linux at a version below 149.0.7827.103 is matched against this CVE within minutes of scan ingestion, covering both registry-resident images and images built inside CI pipelines. A rebuilt image at the fixed version (149.0.7827.103) is available for affected environments. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test pass against the resulting image, and opens a pull request against affected workload definitions automatically; for High-severity issues the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the finding is routed to the configured team inbox with the CVSS 8.8 score, affected image list, and fix-version details attached for review.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available