How is CVE-2026-11699 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the target to a crafted HTML page, so the Chrome instance must be reachable from an internet or network context. Authentication (not-required): No account, session token, or credential of any kind is required before the attack can be launched. Victim interaction (required): The target user must visit or be redirected to an attacker-controlled HTML page, making this a social-engineering or malicious-link delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-11699?

A successful attacker gains the ability to read arbitrary memory within the Chrome browser process, exposing session cookies, saved credentials, and page content from open tabs. The attacker can write to heap memory, enabling code execution within the browser process at the privilege level of the logged-in macOS user. The attacker can crash the browser process or destabilize the heap in ways that make the application unresponsive, causing a denial-of-service condition for the user. Because Chrome on macOS may have access to Bluetooth peripherals, heap corruption in the Bluetooth component may allow interaction with or enumeration of paired Bluetooth devices.

Back to search

HIGHCVE-2026-11699Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11699: Use after free in Bluetooth in Google Chrome on Mac prior to 149

Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Bluetooth component of Google Chrome on macOS, affecting all versions prior to 149.0.7827.103. The flaw is reachable over the network and requires no authentication, but does require the target user to visit a crafted HTML page. Successful exploitation causes heap corruption that gives the attacker full read, write, and crash capability over the browser process. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-11699 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome on macOS base layers. HarborGuard's pipeline scans both registry images and in-flight CI/CD pipeline builds, so newly pushed layers are checked before they reach production.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and surfaces it with that severity rating in each customer's finding dashboard. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the inbox or ticket queue configured for the responsible team inside each customer org.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.103 becomes available in HarborGuard the moment the fix version is confirmed from the upstream advisory. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against any affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the target to a crafted HTML page, so the Chrome instance must be reachable from an internet or network context.
AuthenticationNot required
No account, session token, or credential of any kind is required before the attack can be launched.
Victim interactionRequired
The target user must visit or be redirected to an attacker-controlled HTML page, making this a social-engineering or malicious-link delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

A successful attacker gains the ability to read arbitrary memory within the Chrome browser process, exposing session cookies, saved credentials, and page content from open tabs.
The attacker can write to heap memory, enabling code execution within the browser process at the privilege level of the logged-in macOS user.
The attacker can crash the browser process or destabilize the heap in ways that make the application unresponsive, causing a denial-of-service condition for the user.
Because Chrome on macOS may have access to Bluetooth peripherals, heap corruption in the Bluetooth component may allow interaction with or enumeration of paired Bluetooth devices.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome prior to 149.0.7827.103 are flagged as affected by this HIGH-severity CVE as soon as a scan runs against them. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to the fixed version, a regression test run, and a pull request opened against affected workloads. For high-severity CVEs, the median time from publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. For customers who have not enabled auto-remediation, the finding appears in the dashboard with the recommended fix version clearly noted, so engineers can act manually. If a patched base image is not immediately available in your supply chain, HarborGuard supports compensating-control tagging to flag the image for network-policy isolation or restricted deployment until the update is applied.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available