Insufficient policy enforcement in Subresource Integrity in Google Chrome prior to 149

CVE-2026-11038 is a Chrome Subresource Integrity (SRI) policy-enforcement bypass affecting versions prior to 149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows and macOS. The public Chromium report that appears to match this CVE describes a case where an integrity-less modulepreload populates Chrome's module cache first, and a later SRI-pinned module script reuses that cached entry without applying the expected integrity metadata. If the attacker can alter the bytes served for that module URL, Chrome may execute code that does not match the page's declared SRI hash.

Google's MEDIUM 6.5 label is technically defensible in a vacuum because a successful bypass can let attacker-controlled JavaScript run with the victim page's normal authority. But for enterprise patch triage, that overstates the operational urgency: this needs user interaction, a specific affected application pattern, and usually some upstream content/CDN tampering position before it pays off. No KEV, near-zero EPSS, and no credible broad exploitation signals push this down into workstation hygiene, not front-of-queue fire drill.

Why this verdict

• Baseline starts at vendor 6.5, then drops hard for prerequisite chaining: user interaction is required, so this is already not wormable or silently remote against your fleet.
• Minus for narrow exposure population: the vulnerable path appears to require the exact combination of integrity-less modulepreload followed by an SRI-pinned module request for the same URL. That is a small subset of Chrome browsing activity, not the average page load.
• Minus for attacker position and absent threat signal: the attacker usually needs control of or tampering ability over the served module bytes, which often implies separate infrastructure compromise, while EPSS is tiny and KEV is absent.

Why not higher?

This is not a host compromise, sandbox escape, or unauthenticated server-side bug. The exploit chain depends on browser version, page structure, request ordering, and upstream content manipulation, which compounds friction at every hop and sharply limits the reachable population.

Why not lower?

It is still a bona fide security control bypass in a widely deployed browser, and if the chain lands the attacker can run malicious JavaScript with the victim page's authority. For organizations with high-trust internal web apps or sensitive customer workflows that lean on SRI, the integrity impact is real enough that IGNORE would be too dismissive.

1. Keep Chrome auto-update healthy — Validate enterprise update telemetry, Omaha/Google Update health, and relaunch compliance so the fixed build rolls naturally. For a LOW finding there is no SLA; handle this in normal endpoint maintenance rather than a special campaign.
2. Monitor SRI and CSP reporting — If you operate internal or customer-facing web apps, collect SRI/CSP violation reports and watch for module load anomalies, especially around cross-origin ES modules and modulepreload. This is the best compensating visibility while normal browser maintenance catches up.
3. Review cross-origin module design — Application teams should avoid relying on fragile preload/integrity combinations without testing browser behavior, and should prefer consistent integrity metadata on preloaded modules. For this LOW verdict, schedule that review as backlog hygiene rather than an emergency architecture sprint.
4. Isolate high-risk browsing tiers — For admins, finance staff, and privileged operators, use hardened browsing profiles, remote browser isolation, or separate admin workstations where already available. That reduces the blast radius of browser-layer edge cases even when they are not patch-now events.

Run this on the target Windows endpoint or through your remote management tool as a standard user; admin is helpful but not required. Example: powershell -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-11038.ps1. The script checks common machine-wide and per-user Chrome installs and prints VULNERABLE, PATCHED, or UNKNOWN.

# check-chrome-cve-2026-11038.ps1

# Purpose: Detect whether Google Chrome on Windows is older than the fixed version for CVE-2026-11038.

# Fixed versions: 149.0.7827.53 / .54 on Windows. This script treats >= 149.0.7827.53 as patched.

# Exit codes: 0 = PATCHED, 1 = VULNERABLE, 2 = UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$FixedVersion = [version]'149.0.7827.53'

function Get-ChromeCandidates {
    $paths = New-Object System.Collections.Generic.List[string]

    $envPaths = @(
        "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
        "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
        "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
    )

    foreach ($p in $envPaths) {
        if ($p -and (Test-Path $p)) { [void]$paths.Add($p) }
    }

    $regLocations = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'
    )

    foreach ($key in $regLocations) {
        $item = Get-ItemProperty -Path $key
        if ($item -and $item.'(default)' -and (Test-Path $item.'(default)')) {
            [void]$paths.Add($item.'(default)')
        }
        elseif ($item -and $item.Path -and (Test-Path $item.Path)) {
            [void]$paths.Add($item.Path)
        }
    }

    return $paths | Select-Object -Unique
}

function Get-FileVersionObject([string]$Path) {
    try {
        $fv = (Get-Item $Path).VersionInfo.ProductVersion
        if (-not $fv) { return $null }
        $clean = ($fv -split '\s+')[0]
        return [version]$clean
    }
    catch {
        return $null
    }
}

$candidates = Get-ChromeCandidates
if (-not $candidates -or $candidates.Count -eq 0) {
    Write-Output 'UNKNOWN - Chrome executable not found in common locations.'
    exit 2
}

$results = @()
foreach ($exe in $candidates) {
    $ver = Get-FileVersionObject -Path $exe
    $results += [pscustomobject]@{
        Path = $exe
        Version = if ($ver) { $ver.ToString() } else { $null }
        Vulnerable = if ($ver) { $ver -lt $FixedVersion } else { $null }
    }
}

$known = $results | Where-Object { $_.Version }
if (-not $known -or $known.Count -eq 0) {
    Write-Output 'UNKNOWN - Chrome found, but version could not be determined.'
    $results | ForEach-Object { Write-Output ("Path={0} Version={1}" -f $_.Path, $_.Version) }
    exit 2
}

$anyVuln = $known | Where-Object { $_.Vulnerable -eq $true }
if ($anyVuln) {
    Write-Output 'VULNERABLE'
    $known | Sort-Object Path | ForEach-Object { Write-Output ("Path={0} Version={1}" -f $_.Path, $_.Version) }
    exit 1
}
else {
    Write-Output 'PATCHED'
    $known | Sort-Object Path | ForEach-Object { Write-Output ("Path={0} Version={1}" -f $_.Path, $_.Version) }
    exit 0
}

Sources

1. Google Chrome Releases - Early Stable Update for Desktop
2. Canadian Centre for Cyber Security AV26-544
3. Chromium issue 507024118 public PoC and technical write-up
4. CISA Known Exploited Vulnerabilities Catalog
5. SecurityWeek coverage of Chrome 149 security release
6. W3C Subresource Integrity specification
7. FIRST EPSS model documentation