← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11022 · CWE-20 · Disclosed 2026-06-04

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is the deadbolt on an interior office door failing after the intruder is already inside the building

CVE-2026-11022 is an *improper input validation* flaw in Chrome DevTools affecting Chrome versions before 149.0.7827.53 on Linux and before 149.0.7827.53/.54 on Windows and macOS. Google labels it Medium, and the user-supplied description fragment indicates the attacker already needs a prior foothold in the browser (who had compromised ...). Based on that fragment and adjacent Chrome DevTools cases from the same release train, this looks like a *post-renderer-compromise* trust-boundary failure inside the browser rather than a clean one-shot remote compromise.

That matters more than the component name. DevTools bugs sound scary, but the real question is whether this gets an attacker from *the internet* to *your endpoint* by itself. It does not. The decisive friction is the prerequisite: the attacker likely needs a separate renderer compromise first, which means this CVE is mostly valuable as a *chain amplifier* for an existing browser exploit, not as an initial-access primitive.

"This is a post-renderer-compromise browser boundary crack, not a standalone internet-to-endpoint fire."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land renderer compromise with a separate bug

The attacker first needs code execution or equivalent control inside Chrome's renderer process using some other vulnerability or exploit chain. CVE-2026-11022 does not appear to provide that first-stage foothold on its own; it only becomes interesting after the renderer boundary is already cracked.
Conditions required:
  • Victim is running vulnerable Chrome prior to 149.0.7827.53
  • Attacker has a separate renderer-compromise primitive
  • Victim browses attacker-controlled content or otherwise triggers the chain
Where this breaks in practice:
  • Requires a second vulnerability or exploit stage before this CVE matters
  • Modern browser hardening, exploit mitigations, and rapid auto-update shrink usable population
  • EDR, sandboxing, and crash telemetry often surface first-stage attempts
Detection/coverage: Commodity vuln scanners will detect version exposure, but they cannot prove the renderer-compromise precondition. Browser exploit chains are usually detected through crash spikes, exploit telemetry, or EDR/browser isolation signals rather than signature-only scanning.
STEP 02

Reach the DevTools validation flaw

Once inside the renderer, the attacker abuses malformed or untrusted input that DevTools mishandles. That gives the compromised renderer a path into functionality that should have enforced stricter boundaries.
Conditions required:
  • Renderer is already compromised
  • DevTools code path is reachable from the crafted content/state
  • Target browser build still contains the flawed validation logic
Where this breaks in practice:
  • Post-compromise reachability to the exact DevTools path may be brittle across builds
  • Some enterprises reduce risk with site isolation, browser sandboxing, and frequent restarts/updates
Detection/coverage: Version-based scanners can flag the build. Runtime detection is weak unless your telemetry captures browser crashes, renderer anomalies, or DevTools-related abuse.
STEP 03

Abuse the weakened browser boundary

The likely impact is not host takeover but *browser-boundary erosion* such as cross-origin data access or similar policy bypass inside the browser context. That conclusion is an inference from the truncated description and the pattern of neighboring Chrome DevTools CVEs in the same time window, not a direct quote from a full public record.
Conditions required:
  • Successful abuse of the DevTools trust boundary
  • Valuable browser-resident data exists in reachable contexts
  • User is authenticated to target web apps
Where this breaks in practice:
  • Impact is limited to what the browser session exposes
  • No evidence in retrieved sources of a direct sandbox escape or OS-level code execution from this CVE alone
Detection/coverage: DLP, proxy logs, browser isolation, and suspicious cross-origin access telemetry may catch exfiltration side effects, but there is no strong productized detection signature for this CVE by itself.
STEP 04

Exfiltrate session data or chain onward

If the attacker can read protected browser data, they can steal tokens, page content, or session-scoped secrets and use them elsewhere. In practice this is a *multiplier* on a separate Chrome exploit, not a standalone breach path.
Conditions required:
  • Useful enterprise SaaS sessions exist in the browser
  • Network egress or attacker-controlled endpoint is available for exfiltration
Where this breaks in practice:
  • SSO session protections, conditional access, and token binding can reduce replay value
  • Short-lived sessions and step-up auth limit blast radius
Detection/coverage: Watch for anomalous SaaS session reuse, impossible travel, token theft follow-on behavior, and browser-to-unknown-domain data transfer.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation located in retrieved public sources, and not listed in CISA KEV as of 2026-06-05.
Proof-of-concept availabilityNo public PoC or exploit repo for CVE-2026-11022 was found in retrieved sources. Treat it as *theoretically chainable* but not visibly commoditized.
EPSS0.00021 from the user intel pack — effectively floor-level exploit probability. Percentile was not available in retrieved public sources.
KEV statusNo; no KEV due date because it is not cataloged.
Vendor severity / scoreChromium release notes mark it Medium. There is no vendor CVSS score and no authoritative baseline numeric score to compare against.
Affected versionsChrome before 149.0.7827.53 on Linux and before 149.0.7827.53/.54 on Windows/macOS.
Fixed versionsUpgrade to 149.0.7827.53 or later on Linux and 149.0.7827.53/.54 or later on Windows/macOS. Chrome's auto-update channel should carry the fix quickly unless versions are pinned.
Disclosure / reportingDisclosed 2026-06-04; Chrome release notes say reported by Google on 2026-03-29.
Exposure / scanning realityThis is a client-side browser flaw, so Shodan/Censys/FOFA/GreyNoise do not provide a meaningful internet-exposure lens. Your exposure question is *managed browser version coverage*, not open ports.
Most important prerequisiteThe attack likely requires a prior renderer compromise based on the user-supplied description fragment and same-family Chrome cases. That makes it a *post-initial-compromise browser boundary issue*.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (4.9/10)

The single biggest severity suppressor is the apparent need for a pre-existing renderer compromise. That sharply narrows real-world reach: this CVE is useful in exploit chains, but it is not a clean internet-to-endpoint path by itself.

HIGH Affected version range and fixed build numbers
MEDIUM Post-renderer-compromise interpretation of the truncated CVE description
HIGH No KEV listing / no public exploitation evidence found

Why this verdict

  • Downward pressure: requires attacker position beyond initial access — the available description fragment strongly suggests the attacker already needs a compromised renderer process, which implies a prior exploit stage.
  • Downward pressure: narrow reachable population per exploit attempt — even though Chrome is everywhere, only systems that are both unpatched *and* successfully hit with a separate renderer exploit can benefit the attacker.
  • Downward pressure: no KEV, no public PoC, near-floor EPSS — the telemetry picture does not support urgent internet-scale exploitation pressure right now.
  • Upward pressure: browser ubiquity and identity-rich sessions — if chained successfully, browser-boundary erosion can expose SaaS data, tokens, and authenticated cross-origin content across a very large enterprise population.

Why not higher?

It does not present as a standalone remote compromise path, and the attacker likely needs a separate renderer exploit first. That compounding prerequisite is exactly the kind of friction that should stop this from being scored like a primary browser RCE or sandbox escape.

Why not lower?

Chrome is ubiquitous, and post-renderer-compromise browser-boundary bugs are still useful in real exploit chains. Even without OS-level takeover, cross-origin data access in enterprise browser sessions can expose SSO-backed business data and make a separate browser exploit materially more valuable.

05 · Compensating Control

What to do — in priority order.

  1. Force browser auto-update health checks — Use Chrome Enterprise reporting to identify pinned, stale, or offline browsers and verify they are moving to 149.0.7827.53+. For a MEDIUM finding there is no mitigation SLA — go straight to the 365-day remediation window, but browsers should usually be cleaned up far faster as part of normal fleet hygiene.
  2. Reduce risky extension surface — Tighten extension allowlisting and remove unnecessary high-permission extensions, especially in privileged user groups. This does not fix the bug, but it reduces adjacent browser abuse paths while you remediate within the 365-day remediation window.
  3. Enable Chrome browser reporting — Turn on managed browser reporting so you can see exact version distribution and prove closure. For MEDIUM, there is no mitigation SLA, so use reporting to drive remediation completeness rather than emergency block actions.
  4. Harden session replay resistance — Prioritize short session lifetimes, phishing-resistant MFA, and conditional access for high-value SaaS apps. That limits the payoff if a browser-side data leak is chained before patch completion in the 365-day remediation window.
What doesn't work
  • A perimeter firewall does nothing meaningful here; this is a local browser parsing/trust-boundary issue, not an inbound service exposure problem.
  • Network vulnerability scans alone do not measure exploitability; they can tell you browser version, but not whether the attacker has the prerequisite renderer compromise.
  • Treating DevTools as 'disabled for users' is not a reliable control unless you can prove the vulnerable code path is unreachable in your managed configuration.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software-distribution/remote-exec platform. Invoke it with python3 chrome_cve_2026_11022_check.py; no admin rights are required if Chrome is installed in standard locations, though broader filesystem access helps on locked-down hosts.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# chrome_cve_2026_11022_check.py
# Check local Google Chrome version against CVE-2026-11022 fixed versions.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys
from pathlib import Path

FIXED_LINUX = (149, 0, 7827, 53)
FIXED_WINMAC = (149, 0, 7827, 53)  # 53/54 are fixed; >=53 is acceptable


def parse_version(text):
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text or '')
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def version_gte(a, b):
    return a >= b


def run_cmd(cmd):
    try:
        out = subprocess.check_output(cmd, stderr=subprocess.STDOUT, text=True, timeout=10)
        return out.strip()
    except Exception:
        return None


def detect_linux():
    candidates = [
        shutil.which('google-chrome'),
        shutil.which('google-chrome-stable'),
        shutil.which('chrome'),
        '/opt/google/chrome/chrome',
        '/usr/bin/google-chrome',
        '/usr/bin/google-chrome-stable',
    ]
    for c in candidates:
        if c and Path(c).exists():
            out = run_cmd([c, '--version'])
            ver = parse_version(out)
            if ver:
                return c, ver
    return None, None


def detect_macos():
    app = '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
    if Path(app).exists():
        out = run_cmd([app, '--version'])
        ver = parse_version(out)
        if ver:
            return app, ver
    return None, None


def detect_windows():
    roots = [
        os.environ.get('ProgramFiles'),
        os.environ.get('ProgramFiles(x86)'),
        os.environ.get('LocalAppData'),
    ]
    candidates = []
    for root in roots:
        if root:
            candidates.append(os.path.join(root, 'Google', 'Chrome', 'Application', 'chrome.exe'))

    for c in candidates:
        if Path(c).exists():
            version_file = os.path.join(os.path.dirname(c), 'chrome.VisualElementsManifest.xml')
            out = run_cmd(['powershell', '-NoProfile', '-Command', f"(Get-Item '{c}').VersionInfo.ProductVersion"])
            ver = parse_version(out)
            if ver:
                return c, ver
    return None, None


def main():
    system = platform.system().lower()

    path = None
    ver = None
    fixed = None

    if 'linux' in system:
        path, ver = detect_linux()
        fixed = FIXED_LINUX
    elif 'darwin' in system:
        path, ver = detect_macos()
        fixed = FIXED_WINMAC
    elif 'windows' in system:
        path, ver = detect_windows()
        fixed = FIXED_WINMAC
    else:
        print('UNKNOWN: unsupported operating system')
        sys.exit(2)

    if not ver:
        print('UNKNOWN: Google Chrome not found or version unreadable')
        sys.exit(2)

    if version_gte(ver, fixed):
        print(f'PATCHED: Chrome version {".".join(map(str, ver))} at {path}')
        sys.exit(0)
    else:
        print(f'VULNERABLE: Chrome version {".".join(map(str, ver))} at {path}')
        sys.exit(1)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, pull a Chrome version report from your management plane, identify browsers still below 149.0.7827.53 (149.0.7827.53/.54 on Windows/macOS), and let normal browser update operations close the gap. Because this is MEDIUM and there is no KEV or active exploitation evidence, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is <=365 days, but for a browser fleet you should still clean up pinned and non-updating endpoints in your next routine browser wave rather than letting them linger.

Sources

  1. Chrome Releases 2026 archive entry showing CVE-2026-11022 severity and report date
  2. Chrome Stable Channel Update for Desktop 149 release
  3. Chrome Early Stable Update for Desktop 149.0.7827.53/.54
  4. Chrome Enterprise: View Chrome version details
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS API documentation
  7. FIRST EPSS data and stats
  8. Research context on Chrome DevTools/Debugger abuse paths
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.