How is CVE-2026-11690 exploited?

Network reachability (required): The attacker delivers the exploit over the network, requiring the victim's browser to reach or receive a crafted HTML page from a remote source. Authentication (not-required): No account or credential is needed; the attack is initiated by an unauthenticated remote party. Victim interaction (required): The victim must open or be redirected to a crafted HTML page, making social engineering or a malicious link a prerequisite. Attack complexity (info): Exploitation is rated high complexity because the attacker must have already compromised the renderer process before leveraging this bug, introducing a significant prerequisite condition.

What is the impact of CVE-2026-11690?

Executes arbitrary code inside the Chrome sandbox on the victim's Mac, giving the attacker control of the sandboxed renderer process. Reads memory contents of the renderer process, which may include session tokens, cached credentials, or page data from visited sites. Writes to out-of-bounds memory regions, enabling corruption of renderer state that can be leveraged as a stepping stone for sandbox-escape exploits. Combines high confidentiality, integrity, and availability impact, meaning the attacker can read sensitive data, tamper with rendered content, and crash the affected browser process.

Back to search

HIGHCVE-2026-11690Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11690: Out of bounds read and write in Media in Google Chrome on Mac prior to 149

Out of bounds read and write in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds read and write vulnerability in the Media component of Google Chrome on macOS affects all Chrome versions prior to 149.0.7827.103. The flaw is reachable over the network and requires no authentication, but the attacker must have already compromised the renderer process and needs the victim to interact with a crafted HTML page. Successful exploitation allows arbitrary code execution inside the browser sandbox, giving the attacker a foothold for further privilege escalation. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and is capable of weighting that score against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard the moment the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can run the rebuild, execute a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network, requiring the victim's browser to reach or receive a crafted HTML page from a remote source.
AuthenticationNot required
No account or credential is needed; the attack is initiated by an unauthenticated remote party.
Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making social engineering or a malicious link a prerequisite.
Attack complexityDetail
Exploitation is rated high complexity because the attacker must have already compromised the renderer process before leveraging this bug, introducing a significant prerequisite condition.

Blast Radius

Executes arbitrary code inside the Chrome sandbox on the victim's Mac, giving the attacker control of the sandboxed renderer process.
Reads memory contents of the renderer process, which may include session tokens, cached credentials, or page data from visited sites.
Writes to out-of-bounds memory regions, enabling corruption of renderer state that can be leveraged as a stepping stone for sandbox-escape exploits.
Combines high confidentiality, integrity, and availability impact, meaning the attacker can read sensitive data, tamper with rendered content, and crash the affected browser process.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active against any customer image that packages Chrome on a macOS base layer, with matching occurring within minutes of CVE publication. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild pinned to Chrome 149.0.7827.103, run regression tests against the rebuilt image, and open a pull request targeting affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the HarborGuard dashboard for one-click promotion. Because the exploit requires a pre-compromised renderer, teams unable to update immediately should consider network-policy controls that restrict outbound connections from browser-hosting containers and egress filtering to limit renderer access to untrusted origins.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available