← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11071 · CWE-416 · Disclosed 2026-06-04

Use after free in Base in Google Chrome on Linux prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is the second lock behind the first broken door, not the front door itself

CVE-2026-11071 is a use-after-free in Chrome's Base code on Linux affecting Google Chrome before 149.0.7827.53. The vendor wording matters here: this bug is not described as a clean unauthenticated one-shot browser RCE; it requires an attacker who has already compromised the renderer process. From that phrasing, the practical role of this bug is post-renderer exploitation inside a chained browser attack, likely to extend control beyond the renderer sandbox or otherwise upgrade impact. That last part is an *inference from the vendor description pattern*, because the underlying Chromium issue remains restricted.

Google's HIGH 8.8 label is defensible if you score the bug in isolation with browser-style assumptions, but it overstates defender urgency for enterprise patch triage. The renderer-compromise prerequisite is major friction: it implies the attacker already landed a separate browser exploit stage first, and the bug is Linux-only, which cuts the reachable population again in mixed fleets. No KEV listing, no public exploitation evidence, and a very low EPSS all push this down from 'drop everything' into 'important chain component, but not your Monday morning panic patch' territory.

"Serious only inside a larger browser exploit chain; not a stand-alone internet-to-RCE fire drill"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code execution in the renderer first

The attacker still needs a separate bug to get execution inside Chrome's renderer, typically by serving a crafted page or active content. CVE-2026-11071 does not give them that first foothold by itself; it only becomes relevant after renderer compromise.
Conditions required:
  • Target uses vulnerable Chrome on Linux
  • Victim reaches attacker-controlled web content
  • Attacker has a separate renderer compromise primitive or 0-day
Where this breaks in practice:
  • This is a compound exploit chain, not a single-CVE drive-by
  • Modern browser exploit mitigations make reliable renderer compromise non-trivial
  • Email gateways, URL filtering, DNS filtering, and browser isolation can stop the chain before this CVE matters
Detection/coverage: Commodity vulnerability scanners can flag vulnerable Chrome versions, but they generally cannot tell whether the prerequisite renderer exploit exists in the attack chain.
STEP 02

Trigger the Linux-only Base use-after-free

Once inside the renderer, the attacker attempts to reach the vulnerable Base lifecycle bug on Linux. Because the issue lives in a shared Chromium subsystem rather than a user-facing feature, exploitation reliability depends on hitting a specific object lifetime and memory layout under Linux.
Conditions required:
  • Renderer already compromised
  • Target is specifically Linux
  • Target version is earlier than 149.0.7827.53
Where this breaks in practice:
  • Linux-only scope immediately removes Windows and macOS endpoints from the reachable population
  • Use-after-free exploitation is typically brittle across builds, allocators, and hardening states
  • Enterprise Linux fleets often lag in browser homogeneity, reducing exploit reliability at scale
Detection/coverage: Version-based detection is straightforward. Behavior-based detection is hard unless you have browser crash telemetry, EDR child-process analytics, or sandbox escape detections.
STEP 03

Convert memory corruption into a sandbox bypass or privilege upgrade

The attacker then needs to turn the use-after-free into useful control flow or data corruption that meaningfully improves position beyond the renderer. Given the vendor phrasing, the practical goal is likely a post-renderer security boundary bypass rather than simple renderer code execution.
Conditions required:
  • Exploit reliability against the exact Linux build
  • A path from corruption to policy/sandbox escape or broader browser compromise
  • No crash-only outcome
Where this breaks in practice:
  • A large share of memory-corruption attempts die as crashes, not clean escapes
  • Browser sandboxing, seccomp, namespaces, and EDR raise the bar after renderer compromise
  • Even successful browser-process compromise may still face OS-level privilege boundaries
Detection/coverage: Look for abnormal Chrome crashes, renderer-to-browser process abuse, unusual child processes from chrome, and EDR detections on browser exploit behavior. Network IDS has limited value here.
STEP 04

Act on the endpoint

If the chain succeeds, the attacker can steal session material, stage follow-on payloads, or pivot into user-context actions on sensitive Linux workstations. Real damage concentrates on developer, admin, and privileged browsing endpoints, not the average kiosk or thin client.
Conditions required:
  • Successful full exploit chain
  • Valuable browser sessions or local access paths on the host
  • Target user has meaningful access
Where this breaks in practice:
  • Blast radius is mostly endpoint-local unless the user already has privileged access or sensitive sessions
  • MFA, PAM separation, and least privilege limit what a user-context browser compromise can cash out into
Detection/coverage: EDR should be the primary control here: process injection, suspicious browser descendants, credential store access, and post-exploitation tooling from a browser parent are the signals that matter.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public in-the-wild evidence found in reviewed sources, and not listed in CISA KEV as of 2026-06-05. Source: CISA KEV.
Public PoC availabilityNo public PoC/exploit repo located during source review. The Chromium issue is still restricted, which is typical when bug details could aid weaponization: issue 499227659.
EPSS0.00035 from the user-supplied intel, which is extremely low in practical prioritization terms. EPSS itself is a probability model, not a severity model: FIRST EPSS.
KEV statusNot KEV-listed. That matters because KEV is the cleanest public signal that exploitation has crossed from theoretical to operational: CISA KEV catalog.
Vendor score vs realityVendor baseline is HIGH 8.8 with AV:N/AC:L/PR:N/UI:R, but the description explicitly adds the real-world prerequisite 'attacker who had compromised the renderer process'. That prerequisite is the big downgrade driver.
Affected versionsGoogle Chrome on Linux prior to 149.0.7827.53. This is not a universal cross-platform desktop Chrome fire; it is a Linux slice of the fleet: Chrome release advisory.
Fixed version149.0.7827.53 for Linux. The same release train delivered 149.0.7827.53/54 on Windows/Mac, but this CVE's affected text is Linux-specific: Chrome release advisory.
Disclosure timelineUser-supplied disclosure date is 2026-06-04. The Chrome 149 stable desktop release posted on 2026-06-02, and public vulnerability indexing followed shortly after: Chrome June 2026 archive.
Reporter / bug IDReported by Google on 2026-04-03 in the Chrome release notes, tied to Chromium issue 499227659: release note entry, issue link.
Exposure realityShodan/Censys-style exposure data is basically irrelevant here because this is a client-side browser bug, not an internet-facing daemon. Your exposure question is 'how many Linux endpoints run old Chrome,' not 'how many public sockets answer on port X.'
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.8/10)

The decisive factor is the renderer-compromise prerequisite: this CVE is a second-stage browser exploit component, not a first-stage internet-to-code-exec bug. Linux-only scope narrows the exposed population further, so while the technical impact can be ugly in a full chain, the reachable enterprise blast radius is materially smaller than the vendor 8.8 suggests.

HIGH Affected version boundary and Linux-only scope
MEDIUM Reassessment that this is materially lower priority than a stand-alone browser RCE
LOW Exact post-renderer impact mechanics, because the Chromium bug remains restricted

Why this verdict

  • Major prerequisite drag: the attacker must already have renderer compromise, which implies a prior exploit stage and kills the 'single-CVE remote compromise' narrative.
  • Population reduction: this is Linux-only Chrome, so in a typical enterprise the reachable population is far smaller than all-desktop Chrome counts.
  • No active exploitation signal: no KEV, no public exploitation evidence found, and very low EPSS all argue against emergency handling.
  • Security stack should break the chain earlier: secure web gateway, URL filtering, browser isolation, and EDR have chances to stop the initial renderer exploit before this CVE ever becomes reachable.
  • Impact is still real on the right hosts: Linux developer/admin workstations can carry privileged sessions, SSH material, cloud creds, and source access, so this is not backlog junk.

Why not higher?

Because this bug is not the front door. Requiring prior renderer compromise turns it into a chained exploit stage, and every added prerequisite compounds downward pressure on severity. Add Linux-only targeting and the reachable enterprise population shrinks again.

Why not lower?

Because post-renderer browser bugs are exactly the kind of primitives advanced operators chain when they care about escaping the sandbox. On sensitive Linux workstations, a successful chain can still lead to credential theft, session hijack, or code execution in a high-value user context.

05 · Compensating Control

What to do — in priority order.

  1. Enforce Chrome auto-update on Linux — Make sure managed Linux endpoints actually receive Chrome stable updates and are not pinned or broken in package management. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but for browsers you should still clean up stragglers in your next normal endpoint cycle rather than let them drift.
  2. Harden high-risk browsing tiers — Apply stricter browsing policy to developer, admin, and privileged Linux workstations: reduce unmanaged extensions, block risky categories, and prefer browser isolation for high-risk users. This lowers the chance the prerequisite renderer exploit lands in the first place; for MEDIUM, there is no separate mitigation deadline under noisgate.
  3. Watch browser-to-child-process behavior — Tune EDR to alert when google-chrome or chrome spawns unusual shells, downloaders, or interpreters, or accesses credential-heavy locations unexpectedly. This matters because if CVE-2026-11071 is ever used, it is likely in a broader post-renderer chain where process ancestry becomes one of the few useful signals.
  4. Prioritize privileged Linux users — If you cannot verify patch state everywhere immediately, audit Linux endpoints used by admins, developers, and cloud operators first. Those users hold the sessions and secrets that make a browser chain worth cashing out.
What doesn't work
  • A network perimeter block does not fix a client-side browser memory bug; there is no exposed service to firewall off.
  • MFA alone does not stop post-browser-compromise session theft or in-session abuse once the user is already authenticated.
  • Version-blind EDR deployment is not a substitute for inventory; if you do not know which Linux endpoints are still below 149.0.7827.53, you cannot bound exposure.
06 · Verification

Crowdsourced verification payload.

Run this on the target Linux endpoint or through your fleet agent as root or a regular user with execute access to the Chrome binary. Example: bash check_chrome_cve_2026_11071.sh or bash check_chrome_cve_2026_11071.sh /usr/bin/google-chrome-stable. It checks installed Google Chrome binaries and reports VULNERABLE, PATCHED, or UNKNOWN against the fixed version 149.0.7827.53.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_chrome_cve_2026_11071.sh
# Determine whether Google Chrome on Linux is vulnerable to CVE-2026-11071
# Affected: Google Chrome on Linux < 149.0.7827.53
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / not enough data

set -u

FIXED_VERSION="149.0.7827.53"
TARGET_BIN="${1:-}"

candidates=(
  "/usr/bin/google-chrome-stable"
  "/usr/bin/google-chrome"
  "/opt/google/chrome/google-chrome"
  "/snap/bin/chromium"
)

version_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ] && [ "$1" != "$2" ]
}

get_version() {
  local bin="$1"
  local out ver
  if ! out="$($bin --version 2>/dev/null)"; then
    return 1
  fi
  ver="$(printf '%s' "$out" | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1)"
  [ -n "$ver" ] || return 1
  printf '%s' "$ver"
  return 0
}

check_one() {
  local bin="$1"
  local ver
  ver="$(get_version "$bin")" || return 2

  printf 'BINARY=%s\n' "$bin"
  printf 'VERSION=%s\n' "$ver"
  printf 'FIXED_VERSION=%s\n' "$FIXED_VERSION"

  if version_lt "$ver" "$FIXED_VERSION"; then
    echo "VULNERABLE"
    return 1
  else
    echo "PATCHED"
    return 0
  fi
}

# If a specific binary was supplied, check only that.
if [ -n "$TARGET_BIN" ]; then
  if [ ! -x "$TARGET_BIN" ]; then
    echo "UNKNOWN"
    echo "Reason: specified binary is not executable: $TARGET_BIN"
    exit 2
  fi
  check_one "$TARGET_BIN"
  exit $?
fi

found_any=0
unknown_any=0
for bin in "${candidates[@]}"; do
  if [ -x "$bin" ]; then
    found_any=1
    check_one "$bin"
    rc=$?
    case "$rc" in
      0) exit 0 ;;
      1) exit 1 ;;
      2) unknown_any=1 ;;
    esac
  fi
done

# Fallback: try PATH lookups
for name in google-chrome-stable google-chrome; do
  if command -v "$name" >/dev/null 2>&1; then
    found_any=1
    bin="$(command -v "$name")"
    check_one "$bin"
    rc=$?
    case "$rc" in
      0) exit 0 ;;
      1) exit 1 ;;
      2) unknown_any=1 ;;
    esac
  fi
done

if [ "$found_any" -eq 0 ]; then
  echo "UNKNOWN"
  echo "Reason: no Google Chrome binary found in standard locations or PATH"
  exit 2
fi

if [ "$unknown_any" -eq 1 ]; then
  echo "UNKNOWN"
  echo "Reason: Chrome binary found but version could not be parsed"
  exit 2
fi

echo "UNKNOWN"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, inventory Linux Chrome first and confirm which managed endpoints are still below 149.0.7827.53; prioritize developer, admin, and other privileged browsing tiers for verification. This reassessment is MEDIUM, so there is no noisgate mitigation SLA — go straight to the 365-day remediation window, but because this is a browser exploit-chain component you should still let normal auto-update policy flush it out in your next endpoint cycle and clean up stragglers quickly. There is noisgate remediation SLA of ≤365 days, and there is no active exploitation override here because the CVE is not KEV-listed and no public exploitation evidence was found in reviewed sources.

Sources

  1. Google Chrome Releases - Stable Channel Update for Desktop (Chrome 149)
  2. Google Chrome Releases - June 2026 archive
  3. Chromium issue 499227659
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS model documentation
  6. Google Chrome Help - Update Google Chrome
  7. SecurityWeek - Chrome 149 patches 429 vulnerabilities
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.