PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11663 Google CVE debrief

CVE-2026-11663 is a High severity vulnerability in Google Chrome prior to version 149.0.7827.103. The vulnerability is caused by a use after free in Skia, which could allow a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The CVSS score for this vulnerability is 8.3, indicating a High severity.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Users of Google Chrome prior to version 149.0.7827.103 should update to the latest version to mitigate this vulnerability. Additionally, administrators and security teams responsible for managing Chrome deployments should prioritize patching to prevent potential sandbox escapes.

Technical summary

The vulnerability is caused by a use after free in Skia, a graphics library used by Google Chrome. This could allow a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome to version 149.0.7827.103 or later.
  • Review and apply the release notes and vendor advisory provided by Google Chrome: [ref-4](https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html).

Evidence notes

The CVE record and NVD detail can be found at: [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-11663) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-11663).

Official resources

CVE-2026-11663 was published on 2026-06-09T00:16:49.407Z and modified on 2026-06-09T14:58:50.903Z.