Inappropriate implementation in Extensions in Google Chrome prior to 149

CVE-2026-11026 is an *Extensions* policy-enforcement flaw in Google Chrome. Per Google and NVD, Chrome versions before 149.0.7827.53 on Linux and 149.0.7827.53/.54 on Windows and macOS let a crafted malicious extension bypass navigation restrictions after the attacker has already convinced a user to install that extension. The affected population is therefore Chrome endpoints running pre-fix builds *and* still allowing user-driven installation of an untrusted extension.

Google rated it Medium, and that is already on the generous side for enterprise prioritization. The decisive friction is not browser exposure; it is the requirement to land a malicious extension first, which is a separate social-engineering or policy-control failure and one many managed fleets materially reduce with allowlists, blocklists, forced installs, or permission gating.

Why this verdict

• Major downward adjustment: malicious extension install is required. That prerequisite implies the attacker already succeeded at phishing, social engineering, or bypassing extension governance before this CVE matters.
• Enterprise exposure is narrower than Chrome's market share suggests. Fleets that enforce extension allowlists, blocklists, forced installs, or permission restrictions remove a large share of the reachable population from this attack path.
• Blast radius is local to the browser session. This is not pre-auth server compromise, wormable network exposure, sandbox escape, or host-level RCE; it is a browser-policy bypass that amplifies a bad extension foothold.

Why not higher?

There is no public evidence here of active exploitation, no KEV listing, and no public exploit chain that turns this into mass compromise. More importantly, the attacker does not get value until the victim installs a malicious extension, which is far more limiting than a normal drive-by browser bug.

Why not lower?

It is still a real Chrome security boundary failure in a ubiquitous product, and once a malicious extension is present this bug can widen what that extension can do. If your fleet permits broad user-driven extension installs, the residual risk is non-zero enough that it should still be patched in routine browser maintenance.

1. Enforce extension allowlisting — Move managed Chrome browsers to approved-extension-only where operationally possible. For a LOW verdict there is no SLA beyond backlog hygiene, but this is the highest-value control because it kills the main prerequisite rather than the bug symptom.
2. Block risky extension permissions — Use Chrome admin controls to deny extensions that request permissions your business does not need, especially broad browsing or data-access capabilities. For LOW, treat this as hygiene work in the normal policy-tuning cycle rather than emergency mitigation.
3. Review newly installed extensions — Mine Chrome Enterprise or endpoint management telemetry for recently installed, sideloaded, or low-reputation extensions. This is useful immediately because the attack chain starts with extension installation, not network exploitation.
4. Keep Chrome auto-update healthy — Browser auto-update is the cleanest remediation path for this class of client bug. For LOW, fold straggler cleanup into standard browser-version compliance reporting rather than carving out a dedicated hotfix campaign.

Run this on the target Windows endpoint or through your software-distribution / RMM tooling. Invoke it with powershell.exe -ExecutionPolicy Bypass -File .\Check-Chrome-CVE-2026-11026.ps1; standard user rights are usually enough because it only reads file and registry version data.

# Check-Chrome-CVE-2026-11026.ps1

# Purpose: Determine whether Google Chrome on a Windows host is vulnerable to CVE-2026-11026

# Logic: Vulnerable if any installed Chrome version is below 149.0.7827.53

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$minimumVersion = [version]'149.0.7827.53'
$foundVersions = New-Object System.Collections.Generic.List[version]

function Add-VersionIfValid {
    param([string]$VersionString)
    if ([string]::IsNullOrWhiteSpace($VersionString)) { return }
    try {
        $v = [version]$VersionString
        $foundVersions.Add($v)
    } catch {
        # Ignore unparsable versions

    }
}

# Common Chrome executable locations

$paths = @(
    "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
    "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
    "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
)

foreach ($p in $paths) {
    if (Test-Path $p) {
        try {
            $file = Get-Item $p
            Add-VersionIfValid -VersionString $file.VersionInfo.ProductVersion
            Add-VersionIfValid -VersionString $file.VersionInfo.FileVersion
        } catch {}
    }
}

# Registry uninstall keys as fallback

$regPaths = @(
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
    'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
)

foreach ($rp in $regPaths) {
    try {
        Get-ItemProperty $rp | Where-Object {
            $_.DisplayName -match 'Google Chrome'
        } | ForEach-Object {
            Add-VersionIfValid -VersionString $_.DisplayVersion
        }
    } catch {}
}

if ($foundVersions.Count -eq 0) {
    Write-Output 'UNKNOWN'
    exit 2
}

$uniqueVersions = $foundVersions | Sort-Object -Unique
$minFound = $uniqueVersions | Sort-Object | Select-Object -First 1

if ($minFound -lt $minimumVersion) {
    Write-Output 'VULNERABLE'
    exit 1
} else {
    Write-Output 'PATCHED'
    exit 0
}

Sources

1. NVD record for CVE-2026-11026
2. Chrome stable channel update for Desktop, June 2 2026
3. Chromium issue 497599683
4. CISA Known Exploited Vulnerabilities Catalog
5. FIRST EPSS model documentation
6. Chrome Enterprise: Allow or block apps and extensions
7. Chrome Enterprise policy: ExtensionInstallForcelist
8. MITRE CWE-284 Improper Access Control