Type Confusion in GPU in Google Chrome on Windows prior to 149

CVE-2026-11052 is a type confusion bug in Chrome's GPU path on Windows. Affected systems are Google Chrome on Windows before 149.0.7827.53; Google’s June 2, 2026 desktop stable release moved Windows and macOS to 149.0.7827.53/54 and Linux to 149.0.7827.53. The key detail is not the memory corruption class; it is the prerequisite baked into the description: the attacker must have already compromised the renderer process and then use crafted HTML to pivot into the GPU side for a potential sandbox escape.

Vendor CVSS says CRITICAL 9.6, but that overstates enterprise urgency if you patch by exploitability instead of by theoretical impact. In real life this is a post-renderer-compromise escape on one platform, with no KEV listing, very low EPSS, no public PoC located, and no evidence of in-the-wild use in the sources reviewed. The vendor score models the end-state impact of a successful chain; defenders should score the chain friction, and the biggest friction here is that you need a separate bug first.

Why this verdict

• Requires a first exploit first: this is not unauthenticated remote code execution from a web page by itself; it is only useful after the renderer is already compromised, which is major downward pressure from the vendor's 9.6 baseline.
• Windows-only scope narrows the population: Mac and Linux endpoints are out for this exact CVE, so only the Windows browser fleet is in play.
• Threat telemetry is cold: no KEV, no public PoC found, and EPSS is extremely low, so there is no evidence this is currently a fast-follow exploitation priority.
• Blast radius is user-session/browser-bound, not instant host takeover: a successful exploit likely escapes the renderer boundary, but it still does not equal kernel or domain compromise on its own.
• Modern controls should break parts of the chain: Chrome sandboxing, browser auto-update, exploit mitigations, and EDR all create additional failure points after the initial renderer bug.

Why not higher?

If this were directly reachable from web content without a prior compromise, or if there were active exploitation/KEV evidence, this would climb fast. But the explicit prerequisite means the attacker has already cleared the hardest browser boundary once, which materially lowers standalone patch urgency.

Why not lower?

It is still a sandbox escape candidate in a massively deployed client application. If paired with a renderer bug, it can turn a contained browser foothold into code execution outside the renderer, which is real risk for phishing-heavy and internet-exposed user populations.

1. Enforce Chrome auto-update and restart compliance — Use your browser management stack to verify Windows endpoints actually advance past 149.0.7827.53 and that users restart the browser so the new build is live. For a MEDIUM noisgate verdict there is no mitigation SLA — go straight to the 365-day remediation window, but browser updates are cheap, so treat restart compliance as the fastest practical risk reduction.
2. Harden high-risk browsing tiers — For admins, developers, finance, executives, and help-desk staff, apply stricter browser posture: limit unnecessary GPU-accelerated features where business-tolerable, isolate risky browsing, and keep exploit protection policies enabled. There is no mitigation SLA for MEDIUM here, so use this as selective hardening while you complete normal remediation inside the 365-day window.
3. Watch for browser exploit-chain behaviors — Tune EDR and SOC detections for repeated chrome.exe crashes, suspicious child processes from Chrome, anomalous downloads launched by Chrome, and browser-originated LOLBin activity. This does not fix the bug, but it is the right defensive lens for a flaw that only matters after a renderer compromise.
4. Prioritize unmanaged and lagging Windows endpoints — The vulnerable population is the part of your fleet that misses normal browser auto-updates: kiosks, VDI images, gold images, offline laptops, and tightly controlled desktops. Use version inventory to close those gaps; for this MEDIUM reassessment, work it through the standard 365-day remediation window unless new exploitation evidence appears.

Run this on the target Windows endpoint or through your endpoint management/remote PowerShell tooling. Example: powershell.exe -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-11052.ps1; no admin rights are required for local version checks, though remote execution rights depend on your management platform.

# check-chrome-cve-2026-11052.ps1\n# Purpose: Determine whether Google Chrome on Windows is vulnerable to CVE-2026-11052\n# Logic: Chrome versions earlier than 149.0.7827.53 are VULNERABLE\n# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN\n\n$ErrorActionPreference = 'Stop'\n\nfunction Get-ChromeVersion {\n    $candidates = @(\n        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',\n        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',\n        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'\n    )\n\n    foreach ($key in $candidates) {\n        try {\n            $item = Get-ItemProperty -Path $key -ErrorAction Stop\n            $path = $item.'(default)'\n            if ($path -and (Test-Path $path)) {\n                $ver = (Get-Item $path).VersionInfo.ProductVersion\n                if ($ver) {\n                    return [PSCustomObject]@{ Path = $path; Version = $ver }\n                }\n            }\n        } catch { }\n    }\n\n    $fileCandidates = @(\n        "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",\n        "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",\n        "$env:LocalAppData\Google\Chrome\Application\chrome.exe"\n    )\n\n    foreach ($path in $fileCandidates) {\n        if ($path -and (Test-Path $path)) {\n            try {\n                $ver = (Get-Item $path).VersionInfo.ProductVersion\n                if ($ver) {\n                    return [PSCustomObject]@{ Path = $path; Version = $ver }\n                }\n            } catch { }\n        }\n    }\n\n    return $null\n}\n\ntry {\n    $installed = Get-ChromeVersion\n    if (-not $installed) {\n        Write-Output 'UNKNOWN: Google Chrome not found on this host.'\n        exit 2\n    }\n\n    $installedVersion = [version]$installed.Version\n    $fixedVersion = [version]'149.0.7827.53'\n\n    if ($installedVersion -lt $fixedVersion) {\n        Write-Output ("VULNERABLE: Chrome {0} at {1} is older than fixed version {2}." -f $installed.Version, $installed.Path, $fixedVersion)\n        exit 1\n    } else {\n        Write-Output ("PATCHED: Chrome {0} at {1} is at or above fixed version {2}." -f $installed.Version, $installed.Path, $fixedVersion)\n        exit 0\n    }\n} catch {\n    Write-Output ("UNKNOWN: Failed to determine Chrome version. Error: {0}" -f $_.Exception.Message)\n    exit 2\n}\n

Sources

1. Google Chrome Releases - Stable Channel Update for Desktop (June 2, 2026)
2. Canadian Centre for Cyber Security AV26-544
3. Quanteta CVE Tracker - CVE-2026-11052
4. VulDB - CVE-2026-11052 in Chrome
5. Chromium Sandbox Design
6. Chromium Multi-process Architecture
7. CISA Known Exploited Vulnerabilities Catalog
8. FIRST EPSS