PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11136 Google CVE debrief

CVE-2026-11136 is a use-after-free vulnerability in Canvas in Google Chrome prior to 149.0.7827.53. This vulnerability allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-11136) and modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-11136).

Vendor
Google
Product
Chrome
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Users of Google Chrome prior to version 149.0.7827.53 should update to the latest version to mitigate this vulnerability.

Technical summary

The vulnerability is a use-after-free issue in the Canvas component of Google Chrome. This type of vulnerability occurs when a program attempts to access memory that has already been freed or deleted. In this case, an attacker could exploit the vulnerability by crafting a malicious HTML page that would allow them to execute arbitrary code inside a sandbox.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Review and follow the vendor advisory at [ref-4](https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html).

Evidence notes

The CVE record and NVD detail can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-11136) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-11136), respectively.

Official resources

CVE-2026-11136 was published on 2026-06-04T23:17:19.750Z and modified on 2026-06-05T20:46:09.017Z.