CVE-2026-11000 · Use after free in Fonts in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbo

01 · The Real Story

This is a burglar locked in your lobby, not loose in the building

CVE-2026-11000 is a use-after-free in Chrome's Fonts handling on Linux. A victim must browse to a crafted HTML page, which can trigger memory corruption and let attacker-controlled code run inside the sandboxed renderer. Affected builds are Google Chrome on Linux before 149.0.7827.53; the fixed Linux stable build is 149.0.7827.53.

The scary part is the word *RCE*, but the important qualifier is inside a sandbox. In practice that means this bug is usually stage 1 of a chain, not full host compromise by itself. The supplied 8.8/High baseline overstates enterprise urgency for most fleets; Chrome's own June 2, 2026 release notes list this issue as Medium, which better matches the real-world friction: Linux-only, user interaction required, renderer confinement, no KEV, and extremely low EPSS.

"Real bug, but this is renderer-only on Linux with user interaction and no escape: patch it, don't fire-drill it"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on a malicious page

The attacker needs the user to render attacker-controlled web content, typically via phishing, malvertising, or a compromised legitimate site. The 'weaponized tool' here is just a crafted HTML/CSS page that exercises the vulnerable Fonts path; there is no service to hit directly.

Conditions required:

Target is running Chrome on Linux before 149.0.7827.53
User browses to attacker-controlled or attacker-influenced content
Standard browser protections do not block delivery first

Where this breaks in practice:

Requires UI:R; this is not a wormable or scan-and-pop server bug
Linux Chrome population is materially smaller than Windows/macOS enterprise browser population
Email/web filtering, DNS filtering, and browser safe-browsing reduce initial reach

Detection/coverage: Network scanners will miss this entirely. Detection is mostly via asset inventory for browser version plus web/email telemetry for delivery attempts.

STEP 02

Trigger the Fonts use-after-free in the renderer

Once the page loads, the exploit must steer the vulnerable font-processing path into a use-after-free and turn that memory corruption into control of renderer execution. The practical 'tool' is a custom exploit payload, likely combining malformed font inputs with timing/layout grooming in HTML/CSS/JS.

Conditions required:

Exploit must reliably hit the vulnerable code path on the target build
Heap shaping must work against the target's allocator and mitigations
The specific Linux browser build and runtime environment must behave as expected

Where this breaks in practice:

Modern Chrome exploit mitigations make reliable renderer exploitation non-trivial
Font and distro differences can hurt exploit portability and reliability
Bug details remain restricted, which slows broad commodity weaponization

Detection/coverage: Crash telemetry may show renderer crashes, but signature-based detection for the trigger itself is weak until a public exploit emerges.

STEP 03

Execute code in the sandboxed renderer

Successful exploitation buys code execution in a sandboxed Chrome renderer, not arbitrary code execution on the host. A likely 'tool' at this phase is a lightweight in-renderer stager used to steal page data, abuse browser-accessible context, or prepare for a second vulnerability.

Conditions required:

Renderer exploit is fully reliable
Site isolation and renderer process boundaries still allow the attacker's intended target data path
No EDR/browser hardening kills the child process on anomalous behavior

Where this breaks in practice:

Renderer confinement sharply limits OS access and direct post-exploitation options
Impact may be limited to page/session context unless chained further
Enterprise EDR can flag anomalous child-process or browser memory behavior

Detection/coverage: EDR may catch browser child-process abuse or crash/restart anomalies, but many orgs have limited visibility inside renderer processes.

STEP 04

Chain a sandbox escape for host compromise

To turn this into a workstation takeover, the attacker normally needs a second bug or separate abuse path that breaks out of Chrome's Linux sandbox. That second-stage 'tool' is not part of CVE-2026-11000, and Chromium's own Linux sandboxing model is explicitly designed to make renderer compromise a contained event.

Conditions required:

Attacker has or finds a usable sandbox escape or equivalent post-renderer pivot
Target's Linux sandboxing layers are enabled and not weakened by unsafe launch flags
The attacker has a meaningful objective beyond renderer-local execution

Where this breaks in practice:

This CVE does not include a sandbox escape
Chrome uses layered Linux sandboxing, which is the biggest downward pressure on severity
Without a chain, host-level blast radius is limited

Detection/coverage: Look for browser launches with --no-sandbox, abnormal child-process trees, and follow-on exploit behavior. Vulnerability scanners can validate version, but not the presence of a working chain.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found. As of 2026-06-05, it is not listed in the CISA KEV catalog.
PoC availability	No public PoC located in authoritative sources. Chromium notes bug details may remain restricted until most users are patched, which usually delays commodity exploit copycats.
EPSS	0.0008 from the supplied intel, which is extremely low probability in the next 30 days. FIRST documents EPSS as a forward-looking exploitation probability model, not an impact score.
KEV status	Not KEV-listed as of 2026-06-05; therefore there is no CISA federal due date attached.
Severity mismatch	The supplied baseline is 8.8 / High via CISA-ADP CVSS in NVD, but Chrome's own June 2, 2026 advisory labels CVE-2026-11000 as Medium. That mismatch matters here because the advisory also states execution is inside a sandbox.
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` assumes high impact after code exec, but it doesn't discount sandbox confinement enough for defender prioritization. The `UI:R` and renderer-only nature are the two biggest reasons this scores lower operationally.
Affected versions	Google Chrome on Linux before 149.0.7827.53. NVD also records the Linux platform association for the affected product.
Fixed versions	149.0.7827.53 on Linux per Chrome's stable release notes. For distro-packaged Chromium, verify the distro advisory because some vendors may backport fixes without changing to the exact upstream-looking version string.
Scanning and exposure	Internet exposure data is not meaningful here: this is client-side browser software, not a listening service. Use EDR, package inventory, browser management telemetry, or endpoint scanners; Shodan/Censys/FOFA-style counts are effectively N/A.
Disclosure and reporter	Disclosed 2026-06-04 in NVD and included in Chrome stable release notes published 2026-06-02. Chrome credits `c6eed09fc8b174b0f3eebedcceb1e792` and says it was reported on 2026-03-13.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.1/10)

The decisive factor is renderer-only code execution inside Chrome's Linux sandbox. This is a real browser memory-corruption bug, but without a sandbox escape it is usually one link in a chain, not an immediate fleet-compromise event.

HIGH Affected version range and fixed Linux build

HIGH Severity downward pressure from sandbox confinement and UI requirement

MEDIUM Absence of public PoC or active exploitation at assessment time

Why this verdict

Downgrade from 8.8/High: the attacker gets code execution inside a sandboxed renderer, not a clean workstation takeover
UI:R is real friction: the bug needs the victim to load attacker content, which implies phishing, malvertising, or site compromise rather than unauthenticated direct reachability
Linux-only narrows population: many enterprise fleets have smaller Linux desktop/browser footprints, so the exposed population is materially lower than a cross-platform Chrome bug
No KEV, no public exploitation, very low EPSS: there is no current evidence this is being broadly weaponized in the wild
Chrome itself tagged it Medium: the vendor release notes classify this specific flaw as Medium, aligning with the practical constraints better than the raw CVSS math

Why not higher?

Because this CVE stops at sandboxed renderer execution. To turn it into meaningful host compromise, an attacker usually needs a second bug, a weakened sandbox posture, or some separate post-renderer abuse path; that missing link is exactly why this should not sit in the same queue as true pre-auth remote workstation takeover bugs.

Why not lower?

Because it is still a remote browser memory-corruption flaw in a widely used application class, and those bugs do get chained. If you run Linux engineering workstations, admins, or internet-facing browsing personas, the risk is not trivial even without current exploitation evidence.

05 · Compensating Control

What to do — in priority order.

Block unsafe browser launch flags — Hunt for and prohibit Chrome starts with --no-sandbox or similar weakening flags via endpoint controls and hardening baselines. That matters immediately because the biggest severity reduction here comes from the sandbox; for a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this control should stay permanent.
Constrain Linux browser egress — Apply role-based web filtering, DNS filtering, and category blocks on Linux endpoints used for admin or developer browsing. This reduces the only practical initial access route—delivery of a crafted page—and is worth keeping if patch rollout lags; again, no mitigation SLA applies for a MEDIUM verdict.
Prioritize high-risk Linux user groups — If you cannot patch the whole Linux fleet at once, identify developers, security staff, and privileged admins who browse from Linux desktops and move them first. The risk is user-driven and browser-local, so narrowing exposure on those personas gives better return than blind fleetwide panic patching.
Use browser version telemetry — Drive verification from package inventory, managed browser telemetry, or EDR software inventory rather than network scans. This is the only scalable way to prove exposure for a browser CVE across a 10,000-host estate.

What doesn't work

Perimeter vulnerability scanning doesn't help much because there is no server-side socket to probe; this is endpoint software.
A WAF is irrelevant because the vulnerable component is the client browser renderer, not your web application stack.
MFA does not reduce exploitability here; the attack path is malicious content rendering, not account login abuse.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux endpoint or through your EDR/script runner. Invoke it as bash chrome_cve_2026_11000_check.sh; it needs only normal user rights to read executable versions, though root may help if you're checking package metadata on locked-down hosts. The script reports VULNERABLE, PATCHED, or UNKNOWN and exits 1, 0, or 2 respectively.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# Check exposure to CVE-2026-11000 on Linux Chrome/Chromium endpoints.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

FIXED_VERSION="149.0.7827.53"

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

extract_version() {
  # Pull first dotted quad version from arbitrary text.
  echo "$1" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -n1
}

version_ge() {
  # Returns 0 if $1 >= $2 using sort -V semantics.
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

get_browser_version() {
  local out=""

  for bin in google-chrome google-chrome-stable chromium chromium-browser chrome; do
    if have_cmd "$bin"; then
      out="$($bin --version 2>/dev/null || true)"
      v="$(extract_version "$out")"
      if [ -n "${v:-}" ]; then
        echo "$bin|$v|binary"
        return 0
      fi
    fi
  done

  if have_cmd dpkg-query; then
    for pkg in google-chrome-stable chromium chromium-browser; do
      out="$(dpkg-query -W -f='${Version}\n' "$pkg" 2>/dev/null || true)"
      v="$(extract_version "$out")"
      if [ -n "${v:-}" ]; then
        echo "$pkg|$v|dpkg"
        return 0
      fi
    done
  fi

  if have_cmd rpm; then
    for pkg in google-chrome-stable chromium; do
      out="$(rpm -q --qf '%{VERSION}\n' "$pkg" 2>/dev/null || true)"
      v="$(extract_version "$out")"
      if [ -n "${v:-}" ]; then
        echo "$pkg|$v|rpm"
        return 0
      fi
    done
  fi

  return 1
}

result="$(get_browser_version || true)"

if [ -z "$result" ]; then
  echo "UNKNOWN - Chrome/Chromium not found or version could not be determined"
  exit 2
fi

name="$(echo "$result" | cut -d'|' -f1)"
version="$(echo "$result" | cut -d'|' -f2)"
source_type="$(echo "$result" | cut -d'|' -f3)"

if version_ge "$version" "$FIXED_VERSION"; then
  echo "PATCHED - $name version $version detected via $source_type (fixed: $FIXED_VERSION)"
  exit 0
else
  echo "VULNERABLE - $name version $version detected via $source_type (fixed: $FIXED_VERSION)"
  exit 1
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: query your Linux endpoint inventory for Chrome/Chromium versions and close anything below 149.0.7827.53, but do not let this displace true host-compromise or KEV-active work. For this MEDIUM reassessment there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is patch within 365 days. If you have high-risk Linux browsing personas or any endpoints running Chrome with weakened sandbox settings, move them to the front of that queue this quarter instead of treating this as an immediate all-hands event.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.