HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11692Published Modified CNA Chrome

CVE-2026-11692: Use after free in Read Anything in Google Chrome prior to 149

Use after free in Read Anything in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
149.0.7827.103
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Read Anything component of Google Chrome prior to version 149.0.7827.103. The flaw is reachable over the network and requires the attacker to have already compromised the renderer process, but no authentication is needed; the victim must open a crafted HTML page. Successful exploitation allows a renderer-level attacker to escape the Chrome sandbox, gaining the ability to read, modify, or disrupt data at the operating-system process level outside the browser's normal containment. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11692 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome distribution.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (High) and weighting it against each environment's compliance policy to surface it at the right severity tier. Triage routing can direct the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available through HarborGuard once the upstream fix is confirmed, giving any affected image a direct upgrade path. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test pass, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers a crafted HTML page over the network, so the affected Chrome instance must be reachable by or directed to attacker-controlled web content.

  • AuthenticationNot required

    No account or credential is required; the attacker only needs to get the victim to load a crafted page.

  • Victim interactionRequired

    The victim must actively open or be redirected to a crafted HTML page, making a social-engineering or malicious-link step necessary.

  • Attack complexityDetail

    Attack complexity is High because the attacker must have already compromised the renderer process as a prerequisite before the sandbox-escape primitive becomes usable.

Blast Radius

  • A successful attacker escapes the Chrome sandbox and executes code in the browser's host process, bypassing the primary isolation boundary protecting the underlying OS.
  • Confidential data accessible to the Chrome process (stored credentials, cookies, session tokens, local files) becomes readable to the attacker.
  • The attacker can write or modify files and data accessible to the user account running Chrome, including browser profile data and locally cached content.
  • The attacker can crash or destabilize the Chrome process and any dependent services, causing denial of service at the application level.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11692 is matched against all customer images within minutes of publication, covering any image that ships a Chrome or Chromium binary below 149.0.7827.103. Where auto-remediation is enabled and compliance policy permits, HarborGuard queues a patched-image rebuild at version 149.0.7827.103, executes a regression test run against the rebuilt image, and opens a pull request against affected workloads; for High-severity issues, median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 8.3 scoring and policy-weighted priority so teams can initiate a manual rebuild. Because exploitation requires a prior renderer compromise in addition to victim interaction, compensating controls while a rebuild is staged include network-policy rules that restrict egress from container workloads to untrusted origins, and feature-flag or policy gating to disable the Read Anything feature where the Chrome Enterprise policy layer permits it.

See how HarborGuard automates this

Fix available

149.0.7827.103
Affected packages
  • Google / Chrome
    < 149.0.7827.103 (from 149.0.7827.103)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References