PatchSiren cyber security CVE debrief
CVE-2026-11656 Google CVE debrief
CVE-2026-11656 is a use after free vulnerability in ServiceWorker in Google Chrome prior to 149.0.7827.103. An attacker who convinced a user to install a malicious extension could potentially perform a sandbox escape via a crafted Chrome Extension. The vulnerability has a CVSS score of 8.3 and is considered High severity by Chromium. The CVE was published on [cvePublishedAt] and last modified on [cveModifiedAt].
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Google Chrome prior to version 149.0.7827.103, and administrators of systems where Google Chrome is installed.
Technical summary
The vulnerability is a use after free in ServiceWorker, which could allow an attacker to potentially perform a sandbox escape via a crafted Chrome Extension. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H.
Defensive priority
High
Recommended defensive actions
- Update Google Chrome to version 149.0.7827.103 or later.
- Be cautious when installing extensions from untrusted sources.
Evidence notes
The CVE was published by the National Vulnerability Database (NVD) and has a trust class of official_vulnerability_database.
Official resources
-
CVE-2026-11656 CVE record
CVE.org
-
CVE-2026-11656 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Source reference
[email protected] - Permissions Required
CVE-2026-11656 was published on 2026-06-09T00:16:48.580Z and last modified on 2026-06-09T14:58:20.520Z.