How is CVE-2026-11694 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the target Chrome instance must be reachable and able to load attacker-controlled content. Authentication (not-required): No account or credential is needed to deliver the crafted HTML page that triggers the vulnerability. Victim interaction (required): A user must visit or be directed to a crafted HTML page, making social engineering or malicious-ad delivery a necessary step in the attack chain. Attack complexity (info): Attack complexity is high because the attacker must first compromise the Chrome renderer process before the use-after-free primitive can be leveraged for sandbox code execution.

What is the impact of CVE-2026-11694?

Executes arbitrary code inside the Chrome sandbox process, giving the attacker full control over that process's execution context. Reads any data the renderer process can access, including page content, stored credentials surfaced by autofill, and in-memory session tokens. Modifies or tampers with page content and renderer state, enabling silent alteration of what the victim sees or submits. Crashes or destabilizes the affected browser process, disrupting the user's session and any dependent browser-hosted workloads.

Back to search

HIGHCVE-2026-11694Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11694: Use after free in ServiceWorker in Google Chrome prior to 149

Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in the ServiceWorker component of Google Chrome (versions prior to 149.0.7827.103) allows a remote attacker who has already compromised the renderer process to execute arbitrary code inside the browser sandbox via a crafted HTML page. The attack is reachable over the network but requires victim interaction and carries high attack complexity due to the renderer pre-compromise prerequisite. Successful exploitation gives the attacker code execution within the sandbox, with full confidentiality, integrity, and availability impact on the affected process. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11694 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium as a dependency.

Available

Triage

HarborGuard surfaces CVE-2026-11694 with its CVSS 3.1 score of 7.5 (HIGH) and weights findings against each customer environment's compliance policy before routing alerts to the appropriate team inbox within that organization.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.103 becomes available through HarborGuard as soon as the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable and able to load attacker-controlled content.
AuthenticationNot required
No account or credential is needed to deliver the crafted HTML page that triggers the vulnerability.
Victim interactionRequired
A user must visit or be directed to a crafted HTML page, making social engineering or malicious-ad delivery a necessary step in the attack chain.
Attack complexityDetail
Attack complexity is high because the attacker must first compromise the Chrome renderer process before the use-after-free primitive can be leveraged for sandbox code execution.

Blast Radius

Executes arbitrary code inside the Chrome sandbox process, giving the attacker full control over that process's execution context.
Reads any data the renderer process can access, including page content, stored credentials surfaced by autofill, and in-memory session tokens.
Modifies or tampers with page content and renderer state, enabling silent alteration of what the victim sees or submits.
Crashes or destabilizes the affected browser process, disrupting the user's session and any dependent browser-hosted workloads.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome versions below 149.0.7827.103 are flagged as soon as the CVE is ingested, which typically happens within minutes of publication. A rebuilt image at the patched version 149.0.7827.103 is available for affected environments. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually will find the finding pre-scored at CVSS 7.5 HIGH and routed according to their configured compliance policy, ready for review and action.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available