CVE-2026-11069 · Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin p

01 · The Real Story

Like a side door in the browser that only matters if someone first gets a user to walk into the right room

The supplied record describes a Cast input-validation flaw in Chrome that lets a remote attacker bypass same-origin protections using a crafted HTML page, affecting versions before 149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows/macOS. One important caveat: as of 2026-06-05, the public Chrome 149 release notes do list CVE-2026-11069 as a Medium Cast validation bug, but the fuller public description matching your title currently aligns with the analogous public record CVE-2026-11259; this assessment follows the *behavior* you supplied, not the ID string blindly.

paragraphs continued: same-origin bypass sounds scary in abstract, but the real path is much narrower than a server-side internet-edge flaw. The attacker still needs the victim to load malicious content, the bug lives in a Cast-specific code path rather than a universally exposed network service, Chrome’s modern site isolation architecture reduces blast radius, and there is no KEV listing or credible public exploitation signal. That makes the vendor's MEDIUM 6.5 feel too generous for enterprise patch prioritization.

"This is a browser-policy bug with real user-click friction and a narrow Cast-specific trigger, not a fleet emergency."

02 · The Attack Path

3 steps from start to impact.

STEP 01

Land the victim on attacker HTML

The attacker needs a user running a vulnerable Chrome build to open a crafted page. This is classic browser exploitation delivery: phishing, malvertising, or a compromised site provides the trigger content.

Conditions required:

Victim uses Chrome prior to 149.0.7827.53/54
Victim loads attacker-controlled HTML
Attacker can deliver web content to the victim

Where this breaks in practice:

Requires user interaction (UI:R)
Enterprise web filtering, safe browsing, mail security, and URL isolation can block delivery
No evidence this bug is being mass-exploited

Detection/coverage: Web proxies, email gateways, browser telemetry, and Safe Browsing may catch delivery, but vulnerability scanners do not see exploit attempts directly.

STEP 02

Reach the Cast validation flaw

The crafted page must exercise the vulnerable Cast path and cause insufficient validation of untrusted input. That is materially narrower than a generic Blink or V8 issue because the vulnerable logic sits behind a specific browser feature area rather than arbitrary page parsing alone.

Conditions required:

Cast-related code path is reachable in the victim's browser context
The page can trigger the vulnerable Cast handling path

Where this breaks in practice:

Cast is not a broadly internet-exposed service
Many enterprise users never actively use Cast features
Feature-specific browser bugs are harder to weaponize at scale than renderer memory corruption

Detection/coverage: Version-based detection is reliable; exploit-path detection is poor unless Chrome/EDR telemetry exposes the crashing or policy-bypass behavior.

STEP 03

Abuse same-origin bypass for cross-origin actions

If the bypass succeeds, the attacker may perform actions or content manipulation across origin boundaries that should have been blocked. In practice, this is usually less reliable and lower-impact than full renderer code execution because the payload is constrained by browser security architecture, session state, and feature semantics.

Conditions required:

Victim is simultaneously authenticated to a useful target origin or has sensitive web state present
The vulnerable path yields usable cross-origin capability

Where this breaks in practice:

No published PoC proving broad, repeatable impact
Chrome Site Isolation and process separation reduce some post-bypass value
The supplied intel shows integrity impact only, with no established confidentiality or availability outcome

Detection/coverage: Look for suspicious cross-origin browser actions in session logs, anomalous requests from user browsers, and EDR/browser telemetry; network scanners will not see this.

03 · Intelligence Metadata

The supporting signals.

Record hygiene	Caution: your supplied title/behavior matches the public description now visible for `CVE-2026-11259`, while Chrome 149 release notes separately list `CVE-2026-11069` as a Cast input-validation bug on 2026-06-02. I assessed the described behavior and treated the ID mismatch as unresolved public-record drift.
In-the-wild status	No active exploitation evidence found. Not present in CISA KEV as checked against the public catalog; no primary-source campaign reporting located.
PoC availability	No public PoC found in official Chromium/Google sources or reputable public reporting reviewed here. That lowers urgency materially.
EPSS	0.00021 from supplied intel; extremely low. Percentile was not verified from the primary FIRST feed during this review, so do not over-interpret it.
KEV status	Not KEV-listed as of 2026-06-05.
CVSS and interpretation	Supplied vendor baseline: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N` = 6.5 MEDIUM. Public NVD enrichment for the analogous exact-description record `CVE-2026-11259` shows a lower CISA-ADP assessment of `AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` = 4.3 MEDIUM, which supports downward pressure.
Affected versions	Chrome before `149.0.7827.53` on Linux and before `149.0.7827.53/54` on Windows/macOS, per the Chrome 149 desktop release notes.
Fixed versions	Upgrade to Chrome 149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows/macOS. Enterprise channels that lag stable should verify backported builds rather than major version alone.
Scanning/exposure reality	Shodan/Censys/FOFA are largely irrelevant here. This is endpoint browser code, not an internet-exposed service; exposure is a fleet software inventory problem, not an attack-surface scan problem.
Disclosure and reporter	Public release note published 2026-06-02; NVD publication for the analogous public description is 2026-06-04. The Chrome 149 notes show the Cast entries in this range as reported by Google on 2026-04-03.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.9/10)

The decisive factor is compound friction: this requires a user to load attacker HTML and then successfully hit a Cast-specific browser policy bug, which sharply narrows both reachability and exploit scale. With no KEV listing, no public exploitation, and no evidence of broad weaponization, this does not belong in the same patch queue as remotely reachable server flaws or renderer RCEs.

MEDIUM Severity downgrade from the supplied `MEDIUM 6.5` baseline

LOW Exact CVE-to-description mapping because the public record currently shows an ID/description mismatch

HIGH Assessment that this is not internet-edge and not meaningfully scannable

Why this verdict

User-click required: UI:R means the attacker still needs delivery and victim interaction before anything happens.
Feature-path narrowing: this sits in Cast, not a universally reachable server or generic memory-corruption path; that sharply cuts reachable population in real enterprise use.
No exploitation signal: no KEV listing, no public PoC, and a tiny supplied EPSS materially reduce immediate operational risk.
Blast radius is browser-bounded: even if same-origin checks are bypassed, this is still not equivalent to native code execution or unauthenticated server compromise.
Vendor baseline looks inflated: the analogous public NVD/CISA-ADP record for the same behavior is lower (4.3) than the supplied 6.5, which reinforces a downgrade.

Why not higher?

This is not an unauthenticated server-side bug, not a memory-corruption-to-RCE issue, and not something an external scanner can find on your perimeter. The exploit chain starts with social or web delivery and then depends on a specific browser feature path, which is exactly the kind of compound friction that pushes enterprise urgency down.

Why not lower?

A same-origin bypass is still a real security-boundary failure inside the browser, and Chrome is widely deployed across enterprise fleets. If an attacker can reliably trigger it against authenticated users, it can enable cross-origin actions or content tampering that defenders should not ignore.

05 · Compensating Control

What to do — in priority order.

Force auto-update compliance — Ensure Chrome stable-channel updates are actually landing on endpoints and unmanaged browsers are blocked from corp access. For a LOW noisgate verdict there is no SLA, so treat this as backlog hygiene while still cleaning up stale versions through normal browser management.
Reduce malicious-page delivery — Tighten email URL filtering, web isolation, Safe Browsing enforcement, and high-risk user browser controls to cut off the only realistic initial step: getting a victim onto attacker HTML. For a LOW verdict there is no mitigation SLA; fold this into routine hardening rather than emergency change windows.
Enforce browser inventory visibility — Use EDR, software inventory, MDM, or enterprise browser management to identify hosts below 149.0.7827.53/54. Because this is endpoint software rather than a network service, inventory accuracy matters more than perimeter scanning.
Prefer site isolation defaults — Keep Chrome’s Site Isolation protections enabled and do not weaken them through performance-driven exceptions. They do not remove the bug, but they reduce the practical value of same-origin boundary mistakes.

What doesn't work

External vulnerability scanning won't help much because Chrome desktop exposure is not internet-enumerable.
Network segmentation alone does not stop a user from browsing to a malicious page.
MFA is good hygiene but does not prevent a browser same-origin policy bug from abusing an already authenticated session in the browser.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your EDR/remote execution tool, not from an auditor workstation. Invoke it with python3 check_chrome_149.py (Windows can use py check_chrome_149.py); no admin rights are strictly required, but local read access to standard install paths is needed.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_chrome_149.py
# Exit codes:
# 0 = PATCHED
# 1 = VULNERABLE
# 2 = UNKNOWN

import os
import platform
import re
import subprocess
import sys
from pathlib import Path

FIX_MIN = (149, 0, 7827, 53)

CANDIDATES = {
    'Windows': [
        Path(os.environ.get('ProgramFiles', r'C:\Program Files')) / 'Google/Chrome/Application/chrome.exe',
        Path(os.environ.get('ProgramFiles(x86)', r'C:\Program Files (x86)')) / 'Google/Chrome/Application/chrome.exe',
        Path(os.environ.get('LocalAppData', '')) / 'Google/Chrome/Application/chrome.exe',
    ],
    'Darwin': [
        Path('/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),
        Path.home() / 'Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
    ],
    'Linux': [
        Path('/usr/bin/google-chrome'),
        Path('/usr/bin/google-chrome-stable'),
        Path('/opt/google/chrome/chrome'),
        Path('/snap/bin/chromium'),
        Path('/usr/bin/chromium'),
        Path('/usr/bin/chromium-browser'),
    ],
}


def parse_version(s):
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', s)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def version_to_str(v):
    return '.'.join(str(x) for x in v)


def run_version(binary):
    try:
        out = subprocess.check_output([str(binary), '--version'], stderr=subprocess.STDOUT, timeout=8)
        return out.decode(errors='ignore').strip()
    except Exception:
        return None


def find_installed():
    system = platform.system()
    keys = {'Windows': 'Windows', 'Darwin': 'Darwin'}.get(system, 'Linux')
    found = []
    for p in CANDIDATES.get(keys, []):
        if p and p.exists():
            found.append(p)
    return found


def main():
    found = find_installed()
    if not found:
        print('UNKNOWN - Chrome/Chromium binary not found in standard locations')
        sys.exit(2)

    best = None
    best_path = None
    for binary in found:
        raw = run_version(binary)
        if not raw:
            continue
        ver = parse_version(raw)
        if ver and (best is None or ver > best):
            best = ver
            best_path = binary

    if best is None:
        print('UNKNOWN - Unable to read browser version from discovered binaries')
        sys.exit(2)

    if best < FIX_MIN:
        print(f'VULNERABLE - Found {version_to_str(best)} at {best_path}; expected >= {version_to_str(FIX_MIN)}')
        sys.exit(1)
    else:
        print(f'PATCHED - Found {version_to_str(best)} at {best_path}; meets >= {version_to_str(FIX_MIN)}')
        sys.exit(0)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not treat this like an emergency edge-service patch. Validate your browser inventory, make sure Chrome auto-update is working, and roll the fixed builds through normal endpoint hygiene. Because this lands at LOW, there is no noisgate mitigation SLA and noisgate remediation SLA is effectively backlog hygiene; schedule remediation in your standard browser update cycle rather than a weekend change window. If you discover a high-risk user group actively using Cast features with delayed browser patching, move those users to the front of the queue, but this still does not justify immediate out-of-band enterprise-wide disruption.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.