How is CVE-2026-11687 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a malicious URL, so the Chrome instance must be reachable via normal browser traffic. Authentication (not-required): No account or credential is needed; any unauthenticated remote attacker can attempt the exploit by serving a crafted HTML page. Victim interaction (required): The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

What is the impact of CVE-2026-11687?

Reads process memory contents, including session tokens, credentials, or GPU-bound data processed by the Dawn WebGPU backend. Modifies heap memory, allowing an attacker to overwrite internal browser state or injected data structures. Crashes the Chrome renderer or GPU process, causing an immediate denial of service for the affected user. Heap corruption at this severity level carries a realistic risk of full renderer process compromise, enabling arbitrary code execution within the Chrome sandbox on the affected Mac host.

Back to search

HIGHCVE-2026-11687Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11687: Use after free in Dawn in Google Chrome on Mac prior to 149

Use after free in Dawn in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free in Dawn (the WebGPU backend) in Google Chrome on macOS prior to version 149.0.7827.103. The vulnerability is reachable over the network with no authentication required, but does require a victim to visit a crafted HTML page. Successful exploitation corrupts heap memory, giving the attacker the ability to read sensitive data, tamper with memory contents, and crash or take control of the affected process. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-11687 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or layer Chrome on macOS base images. Any image carrying a Chrome version below 149.0.7827.103 will surface as affected.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights it further against each environment's compliance policy to prioritize routing. Triage tickets are dispatched to the appropriate team inbox within each customer organization based on those policy rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard the moment the fix version is confirmed in upstream metadata. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image, runs a regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a malicious URL, so the Chrome instance must be reachable via normal browser traffic.
AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker can attempt the exploit by serving a crafted HTML page.
Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

Reads process memory contents, including session tokens, credentials, or GPU-bound data processed by the Dawn WebGPU backend.
Modifies heap memory, allowing an attacker to overwrite internal browser state or injected data structures.
Crashes the Chrome renderer or GPU process, causing an immediate denial of service for the affected user.
Heap corruption at this severity level carries a realistic risk of full renderer process compromise, enabling arbitrary code execution within the Chrome sandbox on the affected Mac host.

How HarborGuard Handles This

Available on HarborGuard: any container image bundling Google Chrome below 149.0.7827.103 on a macOS base is flagged immediately upon ingestion. Where compliance policy permits, a rebuilt image pinned to 149.0.7827.103 is queued automatically; for customers who opt into auto-remediation, HarborGuard rebuilds the image, executes the configured regression tests, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of approximately 90 minutes for high-severity issues. Customers who manage patching manually will find the affected images listed in their vulnerability dashboard with a direct pointer to the fix version and the upstream Chromium security advisory.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available