← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11074 · CWE-416 · Disclosed 2026-06-04

Use after free in WebRTC in Google Chrome on Linux prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a burglar getting into the apartment lobby, not automatically the penthouse

This is a WebRTC *use-after-free* in Google Chrome on Linux affecting builds before 149.0.7827.53, disclosed on 2026-06-04. The attacker path is classic browser exploitation: get a user onto a crafted page, trigger memory corruption in the renderer-side processing path, and aim for code execution. Public mirrors and the user-supplied intel map this to CVE-2026-11074; Google’s June 2, 2026 stable release advisory confirms 149.0.7827.53 as the Linux fix line for this disclosure batch.

Google’s 8.8/HIGH baseline is technically fair for a remotely triggerable browser memory bug, but it overstates enterprise urgency if you are triaging a 10,000-host patch queue. The real-world drag is substantial: *user interaction is required, the target population is Linux Chrome only, there is no KEV listing or active exploitation evidence, EPSS is very low, and modern Chromium sandboxing/site isolation materially reduces immediate blast radius unless the attacker also has a second escape or privilege-escalation bug.*

"Drive-by reachable, but Linux-only and still trapped in Chrome’s sandbox in most real-world attacks."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the user on a malicious page

The attacker needs a Linux Chrome user to open attacker-controlled web content that exercises WebRTC. In practice this means phishing, malvertising, a compromised site, or an embedded browser session inside a workflow used by developers or admins.
Conditions required:
  • Target uses Google Chrome on Linux
  • Browser version is older than 149.0.7827.53
  • User visits attacker-controlled or attacker-influenced content
Where this breaks in practice:
  • This is *not* a service-side bug; there is no blind internet spraying against servers
  • Linux Chrome is a smaller enterprise population than Windows Chrome
  • Web filtering, Safe Browsing, secure email gateways, and user behavior all cut initial reach
Detection/coverage: Vulnerability scanners can inventory vulnerable Chrome versions, but they cannot prove exploitability from the wire. Web proxy, DNS, email, and browser telemetry are the main visibility points for this step.
STEP 02

Trigger the WebRTC memory corruption

A crafted HTML/WebRTC sequence aims to hit the freed object at the right time and turn a crash into controlled execution. Weaponization of UAFs is common, but reliability still varies by build, allocator behavior, and exploit engineering quality.
Conditions required:
  • The vulnerable WebRTC code path is reachable on the target build
  • The attacker can shape heap state well enough to turn UAF into useful control
Where this breaks in practice:
  • Many UAFs crash more easily than they execute reliably
  • Linux-specific exploit stability can vary across distro, sandbox, allocator, and kernel combinations
  • Bug details are commonly embargoed until most users update
Detection/coverage: Crash telemetry, browser crash dumps, EDR child-process anomalies, and unusual chrome renderer terminations may surface failed attempts. Signature-based network detection is usually weak for this class.
STEP 03

Gain code execution in the sandboxed renderer

The nearest public NVD analogs for the same June 2026 Chrome release cohort describe WebRTC UAF execution *inside a sandbox*. That matters: arbitrary code in a renderer is bad, but it is not equivalent to unconstrained OS-level RCE on the host.
Conditions required:
  • Exploit succeeds beyond a crash
  • Chrome renderer sandbox remains the initial execution context
Where this breaks in practice:
  • Chromium’s multi-process sandbox and site isolation are specifically designed to contain compromised renderers
  • Direct disk, device, and cross-site access are restricted from the renderer in modern Chrome
Detection/coverage: EDR can sometimes catch unusual renderer behavior, shell spawning, or post-exploitation staging. Commodity vuln scanners do not validate sandbox containment.
STEP 04

Chain to escape or steal useful data

To turn this into a top-tier enterprise incident, the attacker usually needs a second bug or a high-value in-browser target: sandbox escape, local privilege escalation, extension abuse, token theft, or credential/session capture from the user context. Without that second stage, impact is narrower than the CVSS headline suggests.
Conditions required:
  • Attacker has a workable post-renderer objective
  • Either sensitive browser-resident data is accessible or another exploit primitive exists
Where this breaks in practice:
  • No active campaign or KEV evidence suggests a mature exploit chain here
  • Second-stage chaining sharply reduces the number of real attackers who can operationalize this
  • Enterprise EDR, browser hardening, and restricted local privilege models increase failure rates
Detection/coverage: Look for follow-on events: abnormal child processes from Chrome, suspicious downloads, credential theft artifacts, extension installs, or local privilege escalation telemetry.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence reviewed of active exploitation for CVE-2026-11074; *not* KEV-listed.
KEV statusAbsent from CISA KEV as of the reviewed catalog state; the Chrome/WebRTC-related entry visible there is older (CVE-2022-2294), not this flaw.
Proof-of-concept availabilityNo public PoC located in reviewed sources. Chromium bug details are commonly restricted after release, and the linked issue tracker entry requires sign-in.
EPSSUser-supplied EPSS is 0.00071 (~0.071% 30-day exploit probability), which is *low*. Exact percentile was not available in reviewed public sources.
CVSS vector meaningAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H means easy remote reach *after a user browses to content*, but it still depends on UI:R; this is not wormable or unauthenticated server-side exposure.
Affected versionsGoogle Chrome on Linux prior to 149.0.7827.53.
Fixed versionGoogle stable desktop release on 2026-06-02: 149.0.7827.53 for Linux. Distro-packaged Chromium/Chrome may appear as backported builds with different package release numbers; verify the vendor’s patched package, not just upstream numbering.
Scanning / exposure realityShodan/Censys/FOFA-style internet exposure counts are basically *not applicable* here because this is a client-side browser bug, not a network-listening edge service. Your exposure is endpoint fleet composition, not internet-facing asset count.
Disclosure timelineChrome stable update published 2026-06-02; user-supplied CVE disclosure date is 2026-06-04; Canadian Cyber Centre advisory posted 2026-06-03.
Researcher / reportingThe exact CVE-2026-11074 reporting identity was not confirmed in reviewed authoritative sources. In the same June 2026 Chrome release cohort, related WebRTC UAF entries were reported by both Google and external researchers.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.4/10)

The decisive factor is *containment*: this is a drive-by browser memory corruption bug, but in modern Chrome on Linux the attacker still typically lands inside a restricted renderer sandbox first. With no KEV listing, no public exploitation evidence, a very low EPSS, and a Linux-only affected population, this is a serious patch item but not an all-hands fire drill.

MEDIUM Severity reassessment
HIGH Affected version floor and fixed Linux version `149.0.7827.53`
MEDIUM Inference that immediate code execution is sandbox-constrained based on closely related June 2026 Chrome/NVD records

Why this verdict

  • User interaction drags this down: the attacker must get a user onto crafted content, which implies phishing, malvertising, or site compromise rather than direct blind exploitation.
  • Linux-only narrows the reachable population: in most enterprises, Linux Chrome is a much smaller fleet than Windows browsers, so the exposed population is materially lower than the vendor base score assumes.
  • The likely first win is renderer compromise, not host takeover: Chromium’s sandbox and site isolation are built to contain compromised renderer processes, so the attacker usually needs a second-stage escape or data-theft objective to turn this into a full endpoint incident.
  • Threat intel is cold: no KEV listing, no public exploitation evidence, and a very low EPSS (0.00071) are all downward pressure against the vendor 8.8 baseline.
  • Still not low: it is remotely reachable through normal browsing, requires no auth, and memory-corruption bugs in browsers remain high-value to capable actors.

Why not higher?

There is no evidence in the reviewed sources that this CVE is being exploited in the wild, and there is no KEV pressure. More importantly, the path appears to stop at sandboxed renderer execution in the first stage, which is a real but contained foothold rather than immediate unconstrained OS-level RCE.

Why not lower?

This is still a browser memory-safety flaw reachable from web content with no privileges required. Even with user interaction and sandboxing, browsers are high-frequency exposure points, and a capable attacker can combine a renderer bug with credential theft, browser data access, or a second-stage escape.

05 · Compensating Control

What to do — in priority order.

  1. Force browser updates — Push managed Chrome updates or package updates to Linux endpoints and verify the fleet converges on 149.0.7827.53 or distro-equivalent patched builds. For a MEDIUM noisgate verdict there is *no mitigation SLA*; go straight to the remediation window and complete patching within 365 days, but in practice browsers should ride the next normal endpoint patch wave.
  2. Reduce risky browsing paths — Prioritize web filtering, Safe Browsing enforcement, and email-link detonation for Linux user groups that browse untrusted content. This lowers the chance the required UI:R step ever lands; deploy as part of normal control hygiene while patching within the 365-day remediation window.
  3. Harden Chrome policy — Use enterprise policy to restrict unnecessary features and extensions, keep Site Isolation defaults intact, and prevent users from weakening browser security settings. This does not remove the bug, but it preserves the controls that make the first-stage blast radius smaller while you remediate within the 365-day window.
  4. Watch renderer-to-host pivots — Tune EDR detections for suspicious child processes from chrome, abnormal extension installs, credential-store access, and unusual crash bursts. That gives you a shot at catching failed or partially successful exploit chains while patched rollout proceeds under the MEDIUM remediation window.
What doesn't work
  • Perimeter firewall changes do *not* solve this; the exploit rides normal outbound web browsing, not inbound service exposure.
  • A WAF does not help; there is no server application here to protect.
  • Network vulnerability scanners will not meaningfully reduce risk by themselves; they can inventory versions, but they cannot stop user-driven browser exploitation.
  • Disabling only remote inbound access to the endpoint is irrelevant; the trigger is the browser visiting content.
06 · Verification

Crowdsourced verification payload.

Run this on the Linux target host or through your Linux endpoint management agent. Invoke it as bash check_chrome_cve_2026_11074.sh with standard user rights; root is *not* required unless your fleet stores Chrome binaries in nonstandard protected paths.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_chrome_cve_2026_11074.sh
# Detects whether Google Chrome on Linux is vulnerable to CVE-2026-11074
# Logic: versions prior to 149.0.7827.53 are VULNERABLE
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

FIXED_VERSION="149.0.7827.53"

find_chrome() {
  local candidates=(
    "google-chrome"
    "google-chrome-stable"
    "/usr/bin/google-chrome"
    "/usr/bin/google-chrome-stable"
    "/opt/google/chrome/chrome"
    "/snap/bin/chromium"
    "chromium"
    "chromium-browser"
  )

  local c
  for c in "${candidates[@]}"; do
    if command -v "$c" >/dev/null 2>&1; then
      command -v "$c"
      return 0
    elif [ -x "$c" ]; then
      echo "$c"
      return 0
    fi
  done
  return 1
}

extract_version() {
  local bin="$1"
  local out
  out="$($bin --version 2>/dev/null || true)"
  echo "$out" | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1
}

vercmp() {
  # returns: 0 equal, 1 greater, 2 less
  local a="$1" b="$2"
  if [ "$a" = "$b" ]; then
    return 0
  fi
  local first
  first=$(printf '%s\n%s\n' "$a" "$b" | sort -V | head -n1)
  if [ "$first" = "$a" ]; then
    return 2
  else
    return 1
  fi
}

BIN="$(find_chrome || true)"
if [ -z "$BIN" ]; then
  echo "UNKNOWN: Chrome/Chromium binary not found"
  exit 2
fi

VERSION="$(extract_version "$BIN")"
if [ -z "$VERSION" ]; then
  echo "UNKNOWN: Unable to determine browser version from $BIN"
  exit 2
fi

# This CVE is described for Google Chrome on Linux. Chromium may carry equivalent fixes via distro backports.
# If we find Chromium, version-only comparison may be insufficient; flag UNKNOWN unless version clearly meets/exceeds upstream fix.
BASENAME="$(basename "$BIN")"

vercmp "$VERSION" "$FIXED_VERSION"
CMP=$?

if [ "$CMP" -eq 2 ]; then
  if [[ "$BASENAME" == chromium* ]]; then
    echo "UNKNOWN: Chromium version $VERSION is below upstream Chrome fix $FIXED_VERSION; verify distro backport status"
    exit 2
  fi
  echo "VULNERABLE: $BIN version $VERSION is older than fixed version $FIXED_VERSION"
  exit 1
elif [ "$CMP" -eq 0 ] || [ "$CMP" -eq 1 ]; then
  echo "PATCHED: $BIN version $VERSION is at or above fixed version $FIXED_VERSION"
  exit 0
else
  echo "UNKNOWN: Version comparison failed"
  exit 2
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: pull your Linux Chrome inventory, identify anything older than 149.0.7827.53, and roll those endpoints into the next normal browser patch motion rather than interrupting the whole patch calendar. For a MEDIUM verdict there is noisgate mitigation SLA — *no mitigation SLA — go straight to the 365-day remediation window* — and the noisgate remediation SLA is <= 365 days; in practice, for browsers, finish in your next routine endpoint/browser update cycle and spend emergency bandwidth elsewhere unless new exploitation evidence appears.

Sources

  1. Google Chrome Releases: Stable Channel Update for Desktop (June 2, 2026)
  2. Canadian Centre for Cyber Security AV26-544
  3. NVD detail for closely related June 2026 Chrome WebRTC UAF (`CVE-2026-10939`)
  4. Chromium Site Isolation design document
  5. Chromium Secure Architecture overview
  6. CISA Known Exploited Vulnerabilities Catalog
  7. FIRST EPSS overview / methodology
  8. Quanteta CVE tracker entry showing public mirroring of `CVE-2026-11074` metadata
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.