CVE-2026-11698: Use after free in Bluetooth in Google Chrome on Mac prior to 149
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free in the Bluetooth component of Google Chrome on macOS affects all Chrome versions prior to 149.0.7827.103. The vulnerability is reachable over the network and requires no authentication, though the victim must visit a crafted HTML page. Successful exploitation causes heap corruption that gives an attacker full read, write, and execution capability inside the Chrome process. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome binary.
AvailableHarborGuard scores this CVE at CVSS 8.8 HIGH and applies per-environment compliance policy weighting before routing alerts to the appropriate team inbox within each customer org.
AvailableA patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted remotely.
- AuthenticationNot required
No account or credential is needed on the target system; any user browsing to the malicious page is at risk.
- Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering vector requiring the attacker to lure the user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout prerequisites.
Blast Radius
- An attacker gains the ability to read heap memory inside the Chrome process, exposing stored credentials, session tokens, and decrypted page content.
- Heap corruption enables arbitrary writes within the Chrome process, allowing modification of in-memory state such as security flags and DOM structures.
- The combination of read and write primitives from this class of heap corruption typically enables arbitrary code execution at the privilege level of the Chrome renderer process.
- A crashed or hijacked Chrome process disrupts the browsing session, causing denial of service for the affected user.
How HarborGuard Handles This
Available on HarborGuard: any container image that ships a Chrome binary below version 149.0.7827.103 is flagged automatically upon CVE ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, executes a regression run, and opens a PR against affected workloads, with a median time to merged patch PR of around 90 minutes for high-severity issues. Where compliance policy requires manual approval, the rebuilt image and regression report are staged and a ticket is routed to the designated team inbox for review. Customers who cannot update immediately should consider restricting container deployments that expose a Chrome-based browser surface and apply network policy controls to limit untrusted HTML rendering paths.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H