CVE-2026-10922 · Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a use

01 · The Real Story

This is less a front-door break-in than tricking someone to unlock the maintenance panel from inside

Based on the prompt, this issue affects Google Chrome before 149.0.7827.53 and sits in DevTools, not the normal browsing path. That matters: the exploit chain is not just 'visit a page and lose the box' — the attacker still has to steer the victim into a DevTools-driven workflow or specific UI action, which sharply narrows the reachable population inside a 10,000-host estate.

There is an intel quality problem here: Google's June 2026 desktop release notes list CVE-2026-11022 as a *Medium* DevTools input-validation bug and do not show CVE-2026-10922 in that release. So I am treating your submission as a first-principles assessment of the described DevTools flaw, not blindly inheriting severity from mismatched metadata. On real-world conditions, this lands at = ASSESSED AT MEDIUM because Chrome is everywhere, but the exploit path is gated by DevTools usage and user interaction rather than broad drive-by reach.

"ASSESSED AT MEDIUM: real bug, but the DevTools + user-gesture requirement slashes enterprise exploitability"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a crafted web lure

The attacker starts with a malicious HTML page or web app designed to influence a Chrome user into a very specific interaction path. There is no indication of a wormable or no-click vector here; the attacker needs a person at the keyboard and a believable pretext. No public weaponized exploit kit was located for this CVE ID.

Conditions required:

Victim uses Chrome below 149.0.7827.53
Victim can be reached by web content, link, or embedded browser workflow
Attacker can socially engineer a user into following instructions

Where this breaks in practice:

This is not an unauthenticated service listening on the internet
Email security, URL filtering, and browser isolation can block the lure before the bug matters
No public in-the-wild exploitation evidence found

Detection/coverage: Standard external scanners will not validate this path. Detection is mostly indirect: email/web telemetry, suspicious user journeys, and browser crash or DevTools telemetry if collected.

STEP 02

Move the victim into DevTools

The decisive gate is that the vulnerable component is DevTools. The attacker must convince the user to open or interact with developer tooling, or otherwise hit a DevTools-mediated flow, which is far less common than normal browsing. In enterprise populations, that usually means developers, web admins, QA, or power users rather than the median employee.

Conditions required:

Victim is willing and able to open DevTools or perform the required UI gestures
Chrome policies do not fully restrict DevTools usage
The exploit path depends on the exact vulnerable interaction surface in DevTools

Where this breaks in practice:

Most enterprise users never touch DevTools
Managed-browser policy can restrict DevTools in some populations
User training and secure admin workstation patterns reduce compliance with 'press F12 and paste this' lures

Detection/coverage: EDR rarely flags 'DevTools opened' as malicious by itself. Chrome enterprise telemetry or session recording can help, but many orgs do not collect that at scale.

STEP 03

Trigger the input-validation flaw through the DevTools UI

Once inside the right UI path, the crafted content abuses insufficient validation of untrusted input in DevTools. The likely practical outcomes for this class are bypass of intended browser restrictions, data exposure, or constrained code/script impact inside the browser context rather than instant host takeover. Because the public bug details remain restricted, exact exploit primitives are still partly inferred from the component, wording, and adjacent Chrome DevTools bugs.

Conditions required:

The vulnerable code path is reached in the installed Chrome build
The victim performs the exact sequence the exploit expects
Browser hardening or policy does not break the exploit chain

Where this breaks in practice:

Restricted bug details make copycat exploitation slower
Modern Chrome sandboxing and site isolation reduce blast radius for many browser-only bugs
A fragile UI-driven exploit often breaks across minor build, locale, or workflow differences

Detection/coverage: Network scanners cannot see this. Browser telemetry, crash reporting, and post-event forensic review of browsing artifacts are the realistic coverage points.

STEP 04

Harvest browser-side impact

If exploitation succeeds, the attacker gets whatever this DevTools path enables — most plausibly a browser security-boundary bypass, cross-origin data exposure, or execution within a constrained user/browser context. That is still bad on privileged admin workstations and developer endpoints, but it is not the same operational story as a no-click RCE in a universally exposed service.

Conditions required:

Victim session contains data worth stealing or privileged access worth abusing
The attacker can monetize browser-context access
No downstream controls interrupt follow-on abuse

Where this breaks in practice:

Impact is usually tied to the active user session, not full fleet compromise
EDR, CASB, and IdP anomaly detection may catch follow-on abuse
Blast radius is endpoint- and session-scoped unless chained with another bug

Detection/coverage: Look for suspicious browser child-process behavior, abnormal token/session use after browsing, and unusual cross-origin access patterns where browser telemetry exists.

03 · Intelligence Metadata

The supporting signals.

Record quality	Intel mismatch: Google’s June 2026 Chrome desktop release notes show `CVE-2026-11022` as the DevTools input-validation entry; `CVE-2026-10922` is not listed there. I assessed the described flaw, not the typo.
In-the-wild status	No confirmed active exploitation found. Google’s June 2, 2026 desktop advisory does not include the explicit 'Google is aware of an exploit' language it uses on real zero-days like `CVE-2025-6554`.
KEV status	Not KEV-listed based on the current CISA KEV catalog.
EPSS	0.00021 from your prompt. That is effectively background noise and fits the narrow, user-steered DevTools attack path.
Proof-of-concept availability	No public PoC located for `CVE-2026-10922`, and no public exploit repository surfaced for the likely intended `CVE-2026-11022` either.
Affected versions	Prompt states Chrome before `149.0.7827.53`. Google’s desktop update on June 2, 2026 patched Windows/macOS at `149.0.7827.53/.54` and Linux at `149.0.7827.53`.
Fixed versions	Windows/macOS: `149.0.7827.53/.54` or later. Linux: `149.0.7827.53` or later. Chrome on Android inherited the same desktop security fixes in `149.0.7827.59`.
Vendor severity baseline	None for `CVE-2026-10922`. For the likely adjacent official record, Google labeled `CVE-2026-11022` (DevTools, insufficient validation of untrusted input) as Medium in the June 2026 stable release.
Comparable Chrome history	Chrome has rated similar DevTools bugs across Low to Medium: `CVE-2025-4051` was Medium, while `CVE-2026-5901` (policy bypass in DevTools) and `CVE-2026-11250` (inappropriate implementation in DevTools) were Low.
Exposure reality	Product exposure is huge; vulnerable workflow exposure is not. Chrome is ubiquitous, but only a minority of enterprise users enter DevTools or comply with DevTools-specific lures, which is the main downward pressure on severity.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (4.6/10)

The single biggest severity reducer is the DevTools interaction requirement: this is not broadly reachable through normal browsing and it does not behave like a mass-exploitable browser zero-click. I kept it at MEDIUM instead of LOW because Chrome is everywhere, the component sits on sensitive admin/developer workstations, and browser security-boundary flaws can still be valuable when they land on the right user.

MEDIUM Severity assessment of the described DevTools flaw

LOW Exact CVE-to-description mapping due to `10922` vs `11022` mismatch

MEDIUM Estimated practical exploitability without public bug details

Why this verdict

Downward adjustment: requires attacker steering into DevTools — that implies a narrower user population than ordinary drive-by browser bugs and usually means developers, admins, or power users.
Downward adjustment: user interaction is part of the exploit chain — the attacker needs a believable lure and exact actions, which modern web/email controls and user skepticism frequently break.
Downward adjustment: no active exploitation or KEV signal — there is no evidence this is being operationalized in the wild today, and the EPSS provided is extremely low.
Upward adjustment: Chrome is fleet-wide software — even a niche browser bug matters when the product footprint is enormous and privileged users browse from sensitive endpoints.
Upward adjustment: browser-session impact can still be valuable — successful exploitation against an admin or developer workstation can expose cross-origin data, tokens, or follow-on access despite the narrow entry path.

Why not higher?

This does not read like an internet-facing service bug, a zero-click browser exploit, or a confirmed in-the-wild Chrome zero-day. The path is gated by DevTools-specific behavior and likely exact UI actions, which is too much friction for a HIGH or CRITICAL rating in a real enterprise environment.

Why not lower?

Chrome is one of the highest-footprint applications in the enterprise, and browser flaws on privileged workstations can turn into meaningful access even when the initial primitive is constrained. The combination of large deployment base plus potentially sensitive user populations keeps this above simple backlog-only hygiene.

05 · Compensating Control

What to do — in priority order.

Enforce Chrome auto-update — Make sure managed endpoints are actually consuming the fixed builds and not pinned on stale versions by broken update rings or frozen VDI images. For a MEDIUM finding there is no mitigation SLA, but this is still the cleanest control to deploy while you work through the remediation window.
Restrict DevTools where you can — Use Chrome enterprise policy to disable or limit DevTools for non-developer populations, kiosks, and shared admin jump boxes where it is not business-required. This directly attacks the main prerequisite in the exploit chain; for MEDIUM, there is no mitigation SLA.
Segregate privileged browsing — Keep admin, cloud control-plane, and production support sessions off general-purpose browsing endpoints or run them in hardened admin workstations/browser isolation. That reduces the payoff if a user-targeted browser exploit lands; for MEDIUM, there is no mitigation SLA.
Block 'open DevTools and do X' social engineering — Tune secure email/web awareness and detection rules around lures that instruct users to press F12, paste console snippets, or inspect elements. That is a high-signal behavioral choke point for this class of issue; for MEDIUM, there is no mitigation SLA.

What doesn't work

WAF does not solve an endpoint-side DevTools bug; the vulnerable parser/UI lives in the browser, not your edge reverse proxy.
Perimeter vulnerability scanning will mostly miss this because the issue is triggered through local browser behavior, not a remotely fingerprintable server banner.
MFA helps for account takeover aftermath but does not prevent exploitation of the browser bug itself.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software inventory agent. Invoke it with python3 check_chrome_149.py on macOS/Linux or py check_chrome_149.py on Windows; no admin rights are required, though access to the Windows registry improves coverage. It checks common Chrome/Chromium install locations and prints exactly one of VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_chrome_149.py
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys

TARGET = (149, 0, 7827, 53)
VERSION_RE = re.compile(r'(\d+)\.(\d+)\.(\d+)\.(\d+)')


def parse_version(text):
    if not text:
        return None
    m = VERSION_RE.search(text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def cmp_version(a, b):
    return (a > b) - (a < b)


def run_cmd(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        out = (p.stdout or '') + '\n' + (p.stderr or '')
        return out.strip()
    except Exception:
        return ''


def windows_registry_versions():
    versions = []
    try:
        import winreg
    except Exception:
        return versions

    paths = [
        r'SOFTWARE\Google\Chrome\BLBeacon',
        r'SOFTWARE\WOW6432Node\Google\Chrome\BLBeacon',
        r'SOFTWARE\Chromium\BLBeacon',
        r'SOFTWARE\WOW6432Node\Chromium\BLBeacon',
    ]
    hives = []
    try:
        import winreg
        hives = [winreg.HKEY_CURRENT_USER, winreg.HKEY_LOCAL_MACHINE]
        for hive in hives:
            for path in paths:
                try:
                    k = winreg.OpenKey(hive, path)
                    val, _ = winreg.QueryValueEx(k, 'version')
                    v = parse_version(str(val))
                    if v:
                        versions.append(('registry:' + path, v))
                except Exception:
                    pass
    except Exception:
        pass
    return versions


def windows_file_versions():
    candidates = [
        os.path.expandvars(r'%ProgramFiles%\Google\Chrome\Application\chrome.exe'),
        os.path.expandvars(r'%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe'),
        os.path.expandvars(r'%LocalAppData%\Google\Chrome\Application\chrome.exe'),
        os.path.expandvars(r'%ProgramFiles%\Chromium\Application\chrome.exe'),
        os.path.expandvars(r'%ProgramFiles(x86)%\Chromium\Application\chrome.exe'),
    ]
    found = []
    for path in candidates:
        if path and os.path.exists(path):
            out = run_cmd([path, '--version'])
            v = parse_version(out)
            if v:
                found.append((path, v))
    return found


def unix_versions():
    names = [
        'google-chrome', 'google-chrome-stable', 'chromium', 'chromium-browser',
        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
        '/Applications/Chromium.app/Contents/MacOS/Chromium',
        '/usr/bin/google-chrome', '/usr/bin/google-chrome-stable',
        '/usr/bin/chromium', '/usr/bin/chromium-browser'
    ]
    found = []
    for name in names:
        path = shutil.which(name) if not name.startswith('/') else name
        if path and os.path.exists(path):
            out = run_cmd([path, '--version'])
            v = parse_version(out)
            if v:
                found.append((path, v))
    return found


def main():
    system = platform.system().lower()
    detections = []

    if 'windows' in system:
        detections.extend(windows_registry_versions())
        detections.extend(windows_file_versions())
    else:
        detections.extend(unix_versions())

    # Deduplicate by version while preserving evidence paths
    if not detections:
        print('UNKNOWN')
        sys.exit(2)

    # If any detected Chrome/Chromium build is below target, mark vulnerable.
    vulnerable = []
    patched = []
    for src, ver in detections:
        if cmp_version(ver, TARGET) < 0:
            vulnerable.append((src, ver))
        else:
            patched.append((src, ver))

    if vulnerable:
        print('VULNERABLE')
        for src, ver in vulnerable:
            print(f'{src} -> {ver[0]}.{ver[1]}.{ver[2]}.{ver[3]}')
        sys.exit(1)

    if patched:
        print('PATCHED')
        for src, ver in patched:
            print(f'{src} -> {ver[0]}.{ver[1]}.{ver[2]}.{ver[3]}')
        sys.exit(0)

    print('UNKNOWN')
    sys.exit(2)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: treat this as a browser-fleet hygiene item with user-steered exploit friction, not an emergency war room. Because the reassessed bucket is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; validate which endpoints are still below 149.0.7827.53/.54, let standard Chrome update channels pull them forward, and finish patching within the noisgate remediation SLA of ≤365 days. If you have developer workstations, admin browsers, kiosks, or VDI images with frozen Chrome builds, prioritize those first because they are the subset most likely to satisfy the DevTools prerequisite.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.