← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11062 · CWE-602 · Disclosed 2026-06-04

Insufficient policy enforcement in Extensions in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a side door that only opens after the user hauls the attacker’s furniture inside

CVE-2026-11062 is an *insufficient policy enforcement* flaw in Chrome Extensions that affects Google Chrome versions prior to 149.0.7827.53. The published description says a user must first be convinced to install a malicious Chrome extension, after which that extension can inject scripts or HTML into a privileged page. For defenders, that matters: this is not a drive-by web bug and not a no-click browser RCE; it is a trust-boundary failure that starts with extension installation.

Google's 4.3 / MEDIUM is fair in the abstract, but for managed enterprise fleets it is still a bit generous. The decisive friction is the prerequisite chain: attacker needs social engineering success, the victim must install a malicious extension, and many enterprises already constrain extensions through allowlists, force-installs, or permission-based policy. Large Chrome deployment keeps it from being *IGNORE*, but the real-world reachable population inside well-managed estates is much narrower than the vendor baseline suggests.

"This is a malicious-extension problem wearing a Chrome-CVE badge, not a fleetwide remote compromise event"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a malicious extension

The attacker needs a weaponized Chrome extension as the initial tool. There is no evidence in the reviewed sources of a public exploit kit or turnkey PoC for this CVE; the practical weapon is a malicious CRX or Web Store-hosted extension that the victim can be induced to trust and install.
Conditions required:
  • Attacker can socially engineer a target user
  • User is allowed to install extensions or sideload them
  • Enterprise policy does not fully block unapproved extensions
Where this breaks in practice:
  • Chrome Enterprise commonly allows admins to block or allowlist extensions
  • Users must take an installation action; this is not a passive browsing exploit
  • Many security teams already treat browser extensions as controlled software
Detection/coverage: Version scanners will not prove exploitability here. Extension inventory from Chrome Enterprise, EDR artifact collection, or local profile inspection is more useful than CVE-only scanning.
STEP 02

Abuse the policy enforcement gap

Once installed, the malicious extension attempts to leverage the enforcement weakness in the Extensions component to inject scripts or HTML into a privileged page. The weaponized tool at this stage is still the crafted extension described in the NVD and Chrome advisory, with Chromium issue 499033012 tracking the bug.
Conditions required:
  • Malicious extension is installed and enabled
  • Victim runs a vulnerable Chrome build prior to 149.0.7827.53
  • The targeted privileged page or workflow is reachable in the user's browser context
Where this breaks in practice:
  • The impact is integrity-oriented injection, not direct OS-level code execution
  • Privileged-page access paths are narrower than generic page scripting
  • Browser updates rapidly compress exposure windows on auto-updating endpoints
Detection/coverage: Browser crash telemetry is unlikely to help. Detect through Chrome version inventory, extension change monitoring, and review of newly installed or non-approved extension IDs.
STEP 03

Manipulate privileged browser UI or workflows

The likely attacker goal is to alter trusted browser content or workflows, enabling phishing-style prompts, data tampering, or misuse of higher-trust UI surfaces. This is meaningful because users tend to trust browser-native or browser-privileged pages more than ordinary websites.
Conditions required:
  • Victim interacts with the affected privileged page
  • The injected content can influence a security-relevant decision or workflow
Where this breaks in practice:
  • The attacker still operates inside the browser trust boundary, not the host OS
  • Blast radius is per-user and per-browser-profile rather than immediately enterprise-wide
  • Downstream impact depends heavily on what the user does next
Detection/coverage: User reports, browser extension audit logs, and detections for newly installed extensions are more realistic than network IDS signatures.
STEP 04

Pivot to follow-on abuse

If the extension succeeds, the attacker may use the browser foothold for credential theft, session abuse, deceptive prompts, or policy evasion within that user's browsing context. The tool here remains the malicious extension rather than a native payload, which keeps the blast radius materially below a browser RCE chain.
Conditions required:
  • Attacker can monetize a browser-context foothold
  • Victim uses the affected browser for sensitive internal or SaaS workflows
Where this breaks in practice:
  • No in-the-wild exploitation evidence reviewed
  • No KEV listing
  • Low EPSS and no public weaponization surfaced in source review
Detection/coverage: Identity telemetry, suspicious browser extension installs, and cloud session anomaly detections are better hunting leads than vulnerability scanners.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo reviewed source showed active exploitation. CISA KEV does not list CVE-2026-11062.
Proof-of-concept availabilityNo public PoC or GitHub exploit surfaced in source review. The Chromium issue reference exists, but bug details are still restricted.
EPSS0.00008 from the provided intel — effectively floor-level probability.
KEV statusNot listed in the CISA KEV catalog.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N — the important bit is UI:R: exploitation needs user action, and impact is integrity-only.
Affected versionsGoogle Chrome desktop versions prior to 149.0.7827.53; Chrome's release post says the fixed stable build is 149.0.7827.53 on Linux and 149.0.7827.53/.54 on Windows/Mac.
Fixed versionsPatch level is Chrome 149.0.7827.53 or later; Windows/macOS rollout includes 149.0.7827.54.
Exposure realityChrome is everywhere — StatCounter shows 74.93% desktop share worldwide for May 2026 — but *exploitability* is gated by extension-install permission and user behavior, not just product presence.
Scanner coverageMost VM tools can flag outdated Chrome versions. Far fewer can answer the real question: *can users install unapproved extensions, and did any do so?*
Disclosure and reporterChrome/NVD record published 2026-06-04; Chrome release notes say CVE-2026-11062 was reported by Google on 2026-04-02.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (2.9/10)

The single biggest severity reducer is the attacker position requirement: they do not get a remote browser compromise from the network; they first need the victim to install a malicious extension. In managed estates, extension controls sharply cut the reachable population, so this lands as a browser hygiene issue rather than an emergency patch event.

HIGH Prerequisite chain requires user-installed malicious extension
MEDIUM Enterprise exposure is reduced by extension-management policy
MEDIUM No public weaponization or active exploitation found in reviewed sources

Why this verdict

  • Downward adjustment: requires user actionUI:R is not cosmetic here; the exploit path begins only after a user installs a malicious extension.
  • Downward adjustment: attacker position is pre-compromise social engineering, not unauthenticated remote code execution — this is a narrow initial-access dependency, not a general web-triggered browser bug.
  • Downward adjustment: real enterprise exposure is policy-shaped — Chrome Enterprise supports allow/block and force-install controls, which means many managed fleets can prevent or heavily constrain arbitrary extension installation.
  • Downward adjustment: impact is limited — the published CVSS reflects integrity-only impact with no confidentiality or availability loss in the base case.
  • Downward adjustment: threat intel is cold — no KEV listing, no active exploitation evidence reviewed, and the provided EPSS is near zero.
  • Upward pressure retained — Chrome is massively deployed, so even medium-friction extension abuse matters enough to keep this above *IGNORE*.

Why not higher?

To score this higher, you would want one of three amplifiers: a web-only trigger, public weaponization, or active exploitation. We have none of those here. The malicious-extension prerequisite is a hard gate that collapses the exposed population compared with ordinary browser CVEs.

Why not lower?

This is still a trusted-browser-surface issue in the most widely deployed desktop browser, so dismissing it entirely would be sloppy. Unmanaged endpoints, developer workstations, and loosely governed BYOD populations can absolutely meet the install-an-extension prerequisite, and privileged-page injection can still enable meaningful follow-on abuse.

05 · Compensating Control

What to do — in priority order.

  1. Lock down extension installs — Use ExtensionSettings, allowlists, and blocklists so users cannot freely install arbitrary extensions. For a LOW noisgate verdict there is no SLA (treat as backlog hygiene), but if you lack extension governance today, add this in the next normal browser policy cycle because it cuts off the exploit path entirely.
  2. Inventory installed extensions — Collect extension IDs, install sources, and permission sets from managed Chrome endpoints to identify risky or non-approved add-ons. For LOW, there is no SLA (treat as backlog hygiene); fold this into your standard endpoint and browser telemetry program.
  3. Prefer force-installed approved extensions — Where the business genuinely needs extensions, use centrally approved and force-installed packages instead of user discretion. For LOW, there is no SLA (treat as backlog hygiene), but this is the cleanest structural defense against the entire class.
  4. Alert on new extension installs — Create detections for first-seen extension IDs, installs outside your approved list, and sideload indicators. For LOW, there is no SLA (treat as backlog hygiene); deploy as part of normal detective-control hardening.
What doesn't work
  • A network IDS or perimeter firewall does not meaningfully solve this; the dangerous action is a user-approved extension install and in-browser abuse.
  • MFA does not block the vulnerability trigger. It may reduce downstream account abuse, but it does not stop privileged-page injection by a malicious extension.
  • A generic web content filter is incomplete protection because the attacker can use trusted delivery channels, private extension distribution, or social engineering rather than a single malicious URL.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or via your software inventory runner. Invoke it with python3 chrome_cve_2026_11062_check.py on macOS/Linux or py chrome_cve_2026_11062_check.py on Windows; standard user rights are usually enough because the script only reads local Chrome version metadata and binaries.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# CVE-2026-11062 local Chrome version check
# Outputs: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import subprocess
import sys
from pathlib import Path

FIXED = (149, 0, 7827, 53)


def parse_version(text):
    if not text:
        return None
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def cmp_version(a, b):
    return (a > b) - (a < b)


def read_file(path):
    try:
        return Path(path).read_text(encoding='utf-8', errors='ignore')
    except Exception:
        return None


def run_cmd(cmd):
    try:
        out = subprocess.check_output(cmd, stderr=subprocess.STDOUT, text=True)
        return out.strip()
    except Exception:
        return None


def get_windows_version():
    candidates = [
        os.path.expandvars(r'%ProgramFiles%\Google\Chrome\Application\chrome.exe'),
        os.path.expandvars(r'%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe'),
        os.path.expandvars(r'%LocalAppData%\Google\Chrome\Application\chrome.exe'),
    ]

    for exe in candidates:
        if exe and os.path.exists(exe):
            ps = [
                'powershell', '-NoProfile', '-Command',
                f"(Get-Item '{exe}').VersionInfo.ProductVersion"
            ]
            out = run_cmd(ps)
            ver = parse_version(out)
            if ver:
                return ver, exe
    return None, None


def get_macos_version():
    app = '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
    if os.path.exists(app):
        out = run_cmd([app, '--version'])
        ver = parse_version(out)
        if ver:
            return ver, app

    plist = '/Applications/Google Chrome.app/Contents/Info.plist'
    if os.path.exists(plist):
        out = run_cmd(['/usr/bin/defaults', 'read', plist, 'KSVersion'])
        ver = parse_version(out)
        if ver:
            return ver, plist
    return None, None


def get_linux_version():
    candidates = [
        ['google-chrome', '--version'],
        ['google-chrome-stable', '--version'],
        ['/opt/google/chrome/chrome', '--version'],
        ['/usr/bin/google-chrome', '--version'],
        ['/usr/bin/google-chrome-stable', '--version'],
    ]
    for cmd in candidates:
        out = run_cmd(cmd)
        ver = parse_version(out)
        if ver:
            return ver, ' '.join(cmd)
    return None, None


def main():
    system = platform.system().lower()
    version = None
    source = None

    if 'windows' in system:
        version, source = get_windows_version()
    elif 'darwin' in system:
        version, source = get_macos_version()
    elif 'linux' in system:
        version, source = get_linux_version()

    if not version:
        print('UNKNOWN - Google Chrome version could not be determined on this host')
        sys.exit(2)

    if cmp_version(version, FIXED) < 0:
        print(f'VULNERABLE - Chrome version {".".join(map(str, version))} detected via {source}; fixed version is >= {".".join(map(str, FIXED))}')
        sys.exit(1)
    else:
        print(f'PATCHED - Chrome version {".".join(map(str, version))} detected via {source}; fixed version is >= {".".join(map(str, FIXED))}')
        sys.exit(0)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not treat this like an emergency Chrome fire drill. Confirm which endpoint groups still permit user-installed extensions, identify any unmanaged or developer populations, and fold Chrome 149.0.7827.53/54 into your next routine browser rollout; for a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene, so document the rationale if extension installs are already tightly governed and patch in the normal maintenance stream.

Sources

  1. NVD CVE-2026-11062 detail
  2. Chrome Releases stable channel update for desktop
  3. VulDB CVE-2026-11062 summary
  4. Chrome Enterprise - Managing Extensions in Your Enterprise
  5. Chrome Enterprise - Configure ExtensionSettings policy
  6. Chrome Enterprise - ExtensionInstallForcelist policy
  7. FIRST EPSS API documentation
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.