← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11058 · CWE-472 · Disclosed 2026-06-04

Integer overflow in CredentialProvider in Google Chrome on Windows prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a second lock behind the first lock, not a front door left open

CVE-2026-11058 is an integer overflow in Chrome's CredentialProvider code path on Windows only, fixed in Chrome 149.0.7827.53/54 for Windows/Mac and 149.0.7827.53 for Linux, with this specific bug affecting Windows builds prior to 149.0.7827.53. The public description says the attacker must have already compromised the renderer process; in practical terms, this is not the bug that gets you in from the internet, it is the bug that may help turn a renderer foothold into a sandbox/OS-level escalation.

Reality is lower than a generic 7.5. The decisive friction is the prerequisite chain: unauthenticated remote access is not enough. The attacker needs a separate renderer exploit first, the target must be on Windows, the victim must still be on a vulnerable Chrome build, and the exploit must successfully traverse a browser-to-OS boundary. Google's own Chrome advisory classifies this issue as Medium Chromium severity, which fits operational reality better than a flat HIGH label.

"This is a chain-enabler, not a stand-alone internet worm: it needs prior renderer compromise on Windows."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land renderer execution with a separate bug

The attacker first needs code execution or equivalent memory-corruption control inside Chrome's renderer process, typically via a distinct browser bug triggered by a crafted page. CVE-2026-11058 does not provide that initial foothold by itself; it only matters after the renderer is already compromised.
Conditions required:
  • Victim browses to attacker-controlled content or opens attacker-controlled web content
  • A separate renderer compromise exists and succeeds
  • Target is using vulnerable Chrome on Windows
Where this breaks in practice:
  • This assumes a prior exploit stage, which is major downward pressure on severity
  • Modern browser mitigations, site isolation, and exploit reliability issues break many chains before this stage
  • Safe Browsing, URL filtering, and user behavior controls reduce reach
Detection/coverage: Standard VM scanners will not detect the attack chain; you need browser crash telemetry, exploit-kit/web telemetry, and EDR signals around suspicious browser behavior.
STEP 02

Reach the vulnerable CredentialProvider path

From the compromised renderer, the attacker has to exercise the Windows-specific CredentialProvider path in a way that triggers the integer overflow. That usually means a very particular IPC/message flow and state alignment between sandboxed renderer code and privileged browser or OS-facing components.
Conditions required:
  • Renderer compromise is stable enough to drive post-exploitation logic
  • Chrome version is below 149.0.7827.53 on Windows
  • The relevant code path is reachable in the victim's runtime state
Where this breaks in practice:
  • Windows-only component narrows the exposed population
  • Not every browsing session will hit the necessary state or code path
  • Integer-overflow bugs often crash before they cleanly escalate
Detection/coverage: Vendor release metadata can confirm affected versions, but exploitability of this step is not something Nessus/Qualys can prove. EDR may catch anomalous broker interactions or crash-and-retry loops.
STEP 03

Convert sandbox foothold into higher privilege

If the overflow is weaponized successfully, the attacker may escape the renderer's sandbox boundary and obtain higher privileges on the host. That is the real impact: not initial compromise, but strengthening an already-established browser foothold into something with OS-level consequences.
Conditions required:
  • Successful trigger of the overflow
  • Exploit primitives are sufficient for controlled post-overflow behavior
  • Host defenses do not interrupt the chain
Where this breaks in practice:
  • EDR, exploit protection, CFG/ACG-style mitigations, and broker hardening may stop or destabilize exploitation
  • The blast radius is one actively exploited browser session, not broad unauthenticated service compromise
  • No current public evidence shows this step is being mass-exploited
Detection/coverage: Look for browser child-process anomalies, token/handle abuse, unexpected broker activity, and suspicious process trees rooted in chrome.exe.
STEP 04

Act on the host

After privilege gain, the attacker can pivot from browser compromise to local credential theft, persistence, or lateral movement staging. But that impact is contingent on the whole chain succeeding first, which is why this should be prioritized as a *post-compromise amplifier* rather than a direct internet-edge fire.
Conditions required:
  • Host-level execution after boundary escape
  • Valuable credentials or follow-on paths exist on the endpoint
Where this breaks in practice:
  • Privilege gained may still be constrained by host posture and least-privilege controls
  • Endpoint hardening, PPL/LSA protections, and application control can cap follow-on value
Detection/coverage: EDR has the best shot here; exposure management platforms should treat this as endpoint/browser hygiene, not perimeter exposure.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found in the sources reviewed; Google did not include the usual 'aware of exploit in the wild' language in the June 2, 2026 Chrome release note.
KEV statusNot listed in CISA KEV as of review; the catalog is the canonical reference for known exploitation. CISA KEV
PoC availabilityNo credible public PoC located on GitHub or Exploit-DB during review. That matters because this bug is only useful after a renderer foothold, so lack of tooling further suppresses near-term enterprise risk.
EPSS0.00068 from the user-supplied intel, which is extremely low in absolute terms; EPSS measures the probability of exploitation activity in the next 30 days, not impact. EPSS docs
CVSS vectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H maps to remote delivery and high impact on paper, but it understates the practical prerequisite that the attacker must already own the renderer.
Affected versionsChrome on Windows prior to 149.0.7827.53. The broader Chrome 149 stable release covered 149.0.7827.53/54 on Windows/Mac and 149.0.7827.53 on Linux. Chrome release
Fixed versionsFixed in Chrome 149.0.7827.53 for Windows. Enterprise fleets can validate version distribution from the Chrome Admin console versions report. Version reporting
Vendor severity mismatchYour intel block says HIGH 7.5, but Google's own June 2, 2026 Chrome advisory lists CVE-2026-11058 as Medium Chromium severity. That discrepancy is the whole story here: downstream CVSS looks scarier than the exploit chain really is. Chrome release lines with CVE
Exposure / scanning realityThis is not internet-enumerable in the way a VPN or web server flaw is. Shodan/Censys/FOFA won't tell you who is vulnerable; your real exposure data lives in endpoint/browser inventory and Chrome enterprise version reports.
Disclosure / reportingDisclosed 2026-06-04 per the supplied intel block; Google's release note shows it was reported by Google on 2026-04-02, which usually implies internal discovery rather than an external exploit writeup. Chrome release
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.9/10)

The single most important factor is that this issue requires a pre-existing renderer compromise, which makes it a post-initial-access chain component rather than a stand-alone remote entry bug. That sharply limits reachable population and real-world exploit volume, despite the high theoretical impact if the full chain lands.

HIGH Affected version and Windows-only scope
HIGH Need for prior renderer compromise
MEDIUM Likely exploit outcome as sandbox/OS-level escalation

Why this verdict

  • Major prerequisite drag: the attacker needs renderer compromise first, which implies a separate initial exploit stage before this CVE even matters
  • Population narrowing: Windows-only CredentialProvider code means this does not apply to macOS/Linux browser fleets, cutting enterprise exposure immediately
  • Weak threat signals: no KEV listing, no public PoC found, and a very low EPSS all argue against urgent weaponization pressure
  • Vendor reality check: Google's own Chrome release classified CVE-2026-11058 as *Medium* Chromium severity, which better matches the exploit friction than a generic 7.5 HIGH

Why not higher?

It is not higher because this is not a one-bug remote takeover from the internet. Requiring both user interaction and a separate successful renderer compromise compounds friction hard, and each prerequisite shrinks the number of real deployments an attacker can hit at scale.

Why not lower?

It is not lower because if an attacker already has renderer execution, this bug can materially increase blast radius by helping cross the sandbox boundary on Windows endpoints. Chrome is massively deployed, so even post-compromise chain components deserve disciplined patch hygiene.

05 · Compensating Control

What to do — in priority order.

  1. Verify Chrome auto-update is not pinned or broken — For a MEDIUM verdict there is no mitigation SLA, so use this as immediate hygiene while you move to patch. Check GPOs, Omaha/Google Update settings, and any version pinning that would strand Windows endpoints below 149.0.7827.53.
  2. Prioritize browser exploit telemetry on Windows endpoints — Because exploitation needs a renderer foothold first, the most useful temporary control is catching the *first* stage. Ensure EDR, browser crash reporting, and detections for suspicious chrome.exe child-process behavior are enabled while remediation proceeds; there is no mitigation SLA, but do it opportunistically now.
  3. Reduce risky browser reach — Use existing web filtering, SmartScreen/Safe Browsing policies, and extension controls to suppress the likelihood of the upstream renderer exploit stage. This does not replace patching, but it reduces the probability the chain ever reaches CVE-2026-11058.
  4. Inventory vulnerable Windows browsers — Pull managed Chrome version data from the Admin console or endpoint inventory and isolate hosts below 149.0.7827.53. With no mitigation SLA, the practical move is to find the laggards and feed them into normal browser remediation rather than declare an incident.
What doesn't work
  • A network perimeter scan will not help; this is a client-side browser flaw, not an exposed service.
  • Treating it like a stand-alone remote code execution bug is the wrong mental model; blocking one IOC at the edge does nothing if the real issue is outdated browser versions on endpoints.
  • Relying on MFA does not meaningfully reduce exploitation of this CVE; MFA matters for account abuse, not renderer-to-OS exploit chains.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint or through your RMM/SCCM/Intune script runner. Example: powershell -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-11058.ps1; standard user rights are usually enough to read Chrome file and registry version data, but local admin helps in locked-down environments.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# check-chrome-cve-2026-11058.ps1

# Purpose: Determine whether Google Chrome on Windows is vulnerable to CVE-2026-11058

# Logic: Chrome versions earlier than 149.0.7827.53 are VULNERABLE

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


param()

$ErrorActionPreference = 'SilentlyContinue'
$fixedVersion = [version]'149.0.7827.53'

function Get-ChromeVersionFromPath {
    param([string]$Path)
    if (Test-Path $Path) {
        try {
            $item = Get-Item $Path
            if ($item.VersionInfo -and $item.VersionInfo.FileVersion) {
                return [version]$item.VersionInfo.FileVersion
            }
        } catch {}
    }
    return $null
}

function Get-ChromeVersionFromRegistry {
    $regPaths = @(
        'HKLM:\SOFTWARE\Google\Chrome\BLBeacon',
        'HKLM:\SOFTWARE\WOW6432Node\Google\Chrome\BLBeacon',
        'HKCU:\Software\Google\Chrome\BLBeacon'
    )

    foreach ($reg in $regPaths) {
        try {
            $ver = (Get-ItemProperty -Path $reg -Name version).version
            if ($ver) {
                return [version]$ver
            }
        } catch {}
    }
    return $null
}

$paths = @(
    "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
    "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
    "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
)

$foundVersions = New-Object System.Collections.Generic.List[object]

foreach ($p in $paths) {
    $v = Get-ChromeVersionFromPath -Path $p
    if ($v -ne $null) {
        $foundVersions.Add([pscustomobject]@{ Source = $p; Version = $v })
    }
}

$regVersion = Get-ChromeVersionFromRegistry
if ($regVersion -ne $null) {
    $foundVersions.Add([pscustomobject]@{ Source = 'Registry'; Version = $regVersion })
}

if ($foundVersions.Count -eq 0) {
    Write-Output 'UNKNOWN - Google Chrome not found or version unreadable'
    exit 2
}

# Pick the highest discovered version to avoid false vulnerable when multiple channels/installs exist

$effective = $foundVersions | Sort-Object Version -Descending | Select-Object -First 1

Write-Output ("Detected Chrome version: {0} (source: {1})" -f $effective.Version, $effective.Source)

if ($effective.Version -lt $fixedVersion) {
    Write-Output 'VULNERABLE'
    exit 1
} elseif ($effective.Version -ge $fixedVersion) {
    Write-Output 'PATCHED'
    exit 0
} else {
    Write-Output 'UNKNOWN'
    exit 2
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: treat this as browser fleet hygiene with a post-compromise twist, not as a perimeter emergency. Pull your Windows Chrome version report, find anything below 149.0.7827.53, confirm auto-update or pinning issues, and feed laggards into normal patch operations; there is no noisgate mitigation SLA — go straight to the 365-day remediation window under the noisgate remediation SLA. In practice, because Chrome auto-updates and the fix is already out, most enterprises should clear this far sooner than the SLA, but it does not warrant incident-mode patching absent exploitation evidence.

Sources

  1. Google Chrome Releases - Stable Channel Update for Desktop (June 2, 2026)
  2. Canadian Centre for Cyber Security AV26-544
  3. CISA Known Exploited Vulnerabilities Catalog
  4. FIRST EPSS User Guide
  5. FIRST EPSS API documentation
  6. Chrome Enterprise - View Chrome version details
  7. Chrome Enterprise - Manage Chrome updates (Windows)
  8. InfoProtección CVE listing with full description snippet
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.