← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-10942 · CWE-20 · Disclosed 2026-06-04

Inappropriate implementation in UI in Google Chrome on Windows prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a stolen lobby badge, not an unlocked front door

CVE-2026-10942 is a Windows-only local privilege escalation flaw in Chrome's UI implementation affecting versions prior to 149.0.7827.53. The vendor description and CVSS vector say the attacker needs local access and user interaction, so this is not a drive-by web bug and not an internet-facing server problem; it is a client-side escalation step after the attacker already has code execution or equivalent local reach on the endpoint.

Google's HIGH 7.8 score is defensible in a vacuum because successful exploitation can hit C/H, I/H, A/H. In real enterprise triage, though, the chain has real friction: AV:L means post-initial-access, UI:R means an extra trigger, the issue is Windows-specific, and there is no KEV listing, no public exploitation evidence, and essentially no EPSS signal in the supplied intel. That pushes this down to a patch-it-in-normal-client cadence MEDIUM, not an out-of-band emergency.

"High impact on paper, but this is a post-compromise Windows-only local privesc with no exploitation signal."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code on the Windows endpoint

The attacker first needs a local foothold on the target Windows host using a separate delivery method such as malware, a malicious installer, or an already-compromised user session. Weaponized tool for this step is a local stager/dropper; no public CVE-specific kit was found in reviewed sources, so assume custom tradecraft rather than commodity one-click exploitation.
Conditions required:
  • Attacker can execute code locally on the Windows host or place a process in the victim's session
  • Chrome is installed and the version is older than 149.0.7827.53
Where this breaks in practice:
  • This prerequisite already implies initial access succeeded elsewhere
  • Enterprise EDR, application control, and phishing controls should stop many real-world attempts before the Chrome bug matters
Detection/coverage: Traditional external vuln scanners will miss this step entirely. EDR process telemetry, installer events, unsigned binary execution, and user-session persistence detections are the meaningful coverage.
STEP 02

Trigger the vulnerable UI path

With local execution established, the attacker must interact with the affected Chrome UI code path on Windows. Weaponized tool here is a custom local launcher or UI automation wrapper; no public PoC or Metasploit module was located, and Chrome commonly withholds bug details until users are updated, so operational exploit development is likely non-trivial but still plausible for a determined attacker.
Conditions required:
  • Victim can be induced to perform the needed UI action, or the attacker can automate the session
  • The relevant Chrome UI path is reachable in the installed configuration
Where this breaks in practice:
  • The CVSS vector includes UI:R, which cuts reliability and scale
  • Session isolation, locked screens, VDI resets, and constrained desktop access reduce practical reach
Detection/coverage: No strong signature-based network detection. Browser crash telemetry, unusual child-process behavior around Chrome, and UI automation activity are better indicators than perimeter tooling.
STEP 03

Convert browser-side weakness into privilege gain

Successful exploitation would let the attacker elevate privileges on the local Windows system. The effective weapon here is a custom privilege-handoff exploit chained from the UI flaw into whatever privileged boundary Chrome exposes on that host; the absence of public exploit evidence suggests this is not broadly automated today.
Conditions required:
  • Exploit works on the specific Windows build and Chrome build in use
  • Host defenses do not block the resulting privileged action
Where this breaks in practice:
  • Exploit stability can vary by Windows version, Chrome channel, hardening, and EDR hooks
  • Modern endpoint protections often detect suspicious token abuse, broker abuse, or privilege transitions even when the underlying bug exists
Detection/coverage: Look for Chrome-associated anomalous privilege changes, unexpected high-integrity child processes, and EDR alerts on token manipulation or protected-resource access.
STEP 04

Use elevated rights for persistence or defense evasion

Once elevated, the attacker can disable security controls, persist more deeply, or access protected data on that endpoint. The toolset at this step shifts to commodity post-exploitation rather than CVE-specific code, which is exactly why local privesc bugs matter even when they are not remotely reachable.
Conditions required:
  • The exploit delivered meaningful elevation beyond the original user context
  • The attacker has time to act before containment
Where this breaks in practice:
  • Blast radius is usually one endpoint at a time, not an enterprise-wide instant compromise
  • Lateral movement still requires additional credentials, access paths, or trust relationships
Detection/coverage: EDR is the main control here: service creation, tamper attempts, scheduled task abuse, LSASS access, and persistence changes should generate detectable artifacts.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation in reviewed sources. Not present in CISA KEV, and Google/third-party advisories reviewed do not state exploitation.
Public PoC availabilityNo public PoC located in reviewed web/GitHub searches. Chrome's release process often keeps bug details restricted until more users are updated, so current public exploitability visibility is limited.
EPSS0.00007 from supplied intel, which is effectively ~0.007% modeled exploitation probability over 30 days. Very low signal; authoritative percentile was not confirmed from available accessible sources.
KEV statusNot listed in the CISA KEV catalog. That materially lowers urgency versus Chrome bugs that ship with explicit in-the-wild warnings.
CVSS vector meaningCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H means easy once local, no privileges required, but user interaction is required and the attacker must already be on the box. That is classic post-compromise escalation, not perimeter risk.
Affected versionsGoogle Chrome on Windows prior to 149.0.7827.53 per supplied intel and third-party advisories covering the 149 release train.
Fixed versions149.0.7827.53 or later on Windows. Google also published 149.0.7827.53/.54 for Windows and Mac as part of the early stable rollout; for this CVE, use 149.0.7827.53 as the minimum fixed Windows build.
Exposure and scanning realityInternet exposure data is mostly irrelevant. This is a client-side local bug, so Shodan/Censys/FOFA will not meaningfully measure risk. Exposure equals how many managed Windows endpoints still run old Chrome, which is an EDR/asset-inventory problem, not an external attack-surface problem.
Disclosure timingDisclosed 2026-06-04 per supplied intel, with Google shipping the 149.0.7827.53/.54 early stable update at the end of May 2026 and broader release information appearing in early June 2026.
Researcher / reporting creditPublic credit not confirmed in reviewed sources. That is normal for Chrome: Google often restricts bug details and contributor specifics until the fix has reached a larger portion of the install base.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.6/10)

The decisive factor is attacker position: this vulnerability requires local access on a Windows endpoint, which means the adversary is already past your front door. With no KEV listing, no public exploitation evidence, and extremely low EPSS, this behaves like a post-compromise multiplier, not a fleet-wide emergency patch event.

HIGH Downgrade driven by AV:L + UI:R + Windows-only scope
MEDIUM Assessment of exploit maturity because Chrome bug details are often temporarily restricted

Why this verdict

  • Start at vendor 7.8: the raw technical impact is high if exploitation succeeds, so Google did not overstate the damage potential
  • Downgrade for attacker position: AV:L means the attacker already has a foothold on the endpoint or equivalent local reach, which is compounding downward pressure for enterprise prioritization
  • Downgrade again for reachability: UI:R plus Windows-only scope narrows the exposed population and makes mass exploitation less practical than a normal remote Chrome RCE
  • Keep it at MEDIUM, not LOW: Chrome is ubiquitous on enterprise desktops, and a reliable local privesc can materially strengthen malware or hands-on-keyboard operations once an endpoint is compromised

Why not higher?

There is no evidence here of unauthenticated remote exploitation, internet-scale reachability, KEV inclusion, or active campaigns. This bug does not create initial access by itself; it improves the attacker's position only after they already land on a Windows host and trigger the right UI path.

Why not lower?

Privilege escalation on a heavily deployed browser still matters because it can turn a contained user-context intrusion into a more durable endpoint compromise. Even with low EPSS and no public exploitation signal, the impact on a successfully targeted host is too meaningful to relegate to backlog-only hygiene.

05 · Compensating Control

What to do — in priority order.

  1. Enforce Chrome auto-update — Make sure managed Windows endpoints stay on the Stable channel and are not pinned behind stale policies or broken updaters. For a MEDIUM verdict there is no mitigation SLA, so this is an operational hardening step while you drive patch completion inside the 365-day remediation window.
  2. Hunt for outdated Chrome on Windows — Query EDR, SCCM/Intune, or software inventory for Chrome versions below 149.0.7827.53 and isolate exceptions like kiosks, VDI gold images, and devices with disabled auto-update. There is no mitigation SLA for MEDIUM; use this to shrink residual exposure while completing remediation within 365 days.
  3. Tighten endpoint execution controls — Because the bug is local, AppLocker/WDAC, SmartScreen, attack surface reduction, and EDR prevention directly raise the bar by blocking the attacker from landing or running the prerequisite local stager. For this verdict there is no mitigation SLA; treat it as defense-in-depth while you remediate in the 365-day window.
  4. Watch for Chrome privilege anomalies — Tune detections for Chrome spawning unusual high-integrity children, tamper attempts against security tools, suspicious UI automation, and privilege-transition events. Again, no mitigation SLA applies at MEDIUM, but detection reduces dwell time while patch coverage converges inside the 365-day remediation period.
What doesn't work
  • Perimeter WAFs or network IPS do not materially help; this is a local client-side issue, not an externally exposed web service flaw.
  • Internet attack-surface management tools like Shodan/Censys-based monitoring do not measure this risk well because the vulnerable asset is the endpoint browser version, not an exposed listener.
  • MFA does not stop the exploit path itself; MFA may reduce initial access elsewhere, but once code is local on the host this CVE is about privilege elevation on-device.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint or through your RMM/EDR live response shell. Example: powershell.exe -ExecutionPolicy Bypass -File .\Test-Chrome-CVE-2026-10942.ps1no admin rights required as long as the script can read Chrome install paths and file version metadata.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# Test-Chrome-CVE-2026-10942.ps1

# Checks whether Google Chrome on Windows is vulnerable to CVE-2026-10942

# Vulnerable if installed version is less than 149.0.7827.53

# Exit codes: 0 = PATCHED, 1 = VULNERABLE, 2 = UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$fixedVersion = [version]'149.0.7827.53'

function Get-ChromePaths {
    $paths = @(
        "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
        "${env:ProgramFiles(x86)}\Google\Chrome\Application\chrome.exe",
        "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
    )

    $regPaths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'
    )

    foreach ($rp in $regPaths) {
        $p = (Get-ItemProperty -Path $rp).'(default)'
        if ($p) { $paths += $p }
    }

    $paths | Where-Object { $_ -and (Test-Path $_) } | Select-Object -Unique
}

$chromePaths = Get-ChromePaths
if (-not $chromePaths -or $chromePaths.Count -eq 0) {
    Write-Output 'UNKNOWN - Google Chrome not found on this host'
    exit 2
}

$results = @()
foreach ($path in $chromePaths) {
    try {
        $item = Get-Item $path
        $verString = $item.VersionInfo.ProductVersion
        if (-not $verString) { $verString = $item.VersionInfo.FileVersion }

        # Normalize versions like 149.0.7827.53 (Official Build) to numeric prefix only

        if ($verString -match '(\d+\.\d+\.\d+\.\d+)') {
            $ver = [version]$matches[1]
            $state = if ($ver -lt $fixedVersion) { 'VULNERABLE' } else { 'PATCHED' }
            $results += [pscustomobject]@{
                Path    = $path
                Version = $ver.ToString()
                State   = $state
            }
        }
    }
    catch {
        # Ignore individual path errors and continue

    }
}

if (-not $results -or $results.Count -eq 0) {
    Write-Output 'UNKNOWN - Could not determine Chrome version'
    exit 2
}

$results | ForEach-Object {
    Write-Output ("{0} - {1} - {2}" -f $_.State, $_.Version, $_.Path)
}

if ($results.State -contains 'VULNERABLE') {
    exit 1
}
else {
    exit 0
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not burn an emergency change window on this one unless your telemetry says an actor is already on Windows desktops. Use inventory/EDR to find Chrome <149.0.7827.53 on Windows, make sure auto-update is not broken, and clean up long-tail endpoints through normal client patch operations; for a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window under the noisgate remediation SLA, though in practice a browser patch like this should be absorbed far sooner through standard update hygiene.

Sources

  1. Google Chrome Releases - Early Stable Update for Desktop (149.0.7827.53/.54)
  2. Chrome Releases blog
  3. Chrome Enterprise previous release notes
  4. Chrome browser release channels
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS overview
  7. FIRST EPSS API documentation
  8. Canadian Centre for Cyber Security advisory AV26-544
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.