← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11078 · CWE-20 · Disclosed 2026-06-04

Inappropriate implementation in FileSystem in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a weak hinge behind a locked door, not a front door left open

CVE-2026-11078 is a FileSystem input-validation flaw in Chrome before 149.0.7827.53. Google’s June 2, 2026 stable-channel notes place it in the Medium bucket and tie it to FileSystem; the user-supplied description adds the crucial context that the attacker must already have compromised the renderer. In plain English: this is not the bug that gets the attacker into Chrome in the first place — it is the bug that may let them do more *after* they already landed code or control in the renderer via some separate browser exploit.

The vendor’s MEDIUM 6.5 is directionally fair on paper, but operationally this lands lower than teams panic-patch for because the biggest friction point is brutal: it requires a prior renderer compromise. That means this CVE is post-initial-access inside the browser exploit chain, has no KEV listing, no stated in-the-wild exploitation, and a tiny EPSS. Ubiquitous product? Yes. Standalone enterprise emergency? No.

"This is a chain component, not an entry point: treat it as a browser hardening patch, not a fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver malicious web content

The attacker still needs the victim to render attacker-controlled content, typically via a phishing link, malvertising, or a compromised site. The practical weapon here is just a crafted HTML/JS page; CVE-2026-11078 does not by itself provide initial code execution or renderer compromise.
Conditions required:
  • User visits attacker-controlled or attacker-influenced web content
  • Affected Chrome version is older than 149.0.7827.53
Where this breaks in practice:
  • Requires user interaction
  • Enterprise web filtering, Safe Browsing, and email controls reduce successful delivery
  • This step alone does not trigger the CVE’s impact
Detection/coverage: Proxy, DNS, email gateway, and browser telemetry can often see the lure stage, but not tie it specifically to CVE-2026-11078.
STEP 02

Gain renderer compromise with a separate bug

This is the decisive prerequisite. Per the supplied description, the attacker must have already compromised the renderer, which means they need a separate renderer exploit or logic flaw first; the effective weaponized tool is a multi-bug browser exploit chain, not this CVE alone.
Conditions required:
  • Attacker has a distinct renderer compromise primitive
  • That renderer bug is reachable in the victim’s browsing session
Where this breaks in practice:
  • This is a compounding exploit requirement, not a nice-to-have
  • Modern browser sandboxing and site isolation are built specifically to make this stage expensive
  • No public evidence found that CVE-2026-11078 is being used in real-world chains
Detection/coverage: Very poor signature coverage. Traditional vuln scanners cannot validate renderer compromise; EDR/browser crash telemetry is more useful than network scanners.
STEP 03

Abuse the FileSystem validation flaw

With renderer control in hand, the attacker can attempt to hit the FileSystem bug to break intended safety boundaries or tamper with state in a way the renderer should not be allowed to do. The practical effect is an integrity-impacting post-compromise primitive inside the browser chain, consistent with the supplied CVSS vector’s I:H and lack of confidentiality/availability impact.
Conditions required:
  • Renderer is already under attacker control
  • Victim is running a vulnerable Chrome build
Where this breaks in practice:
  • Likely narrow exploitability surface compared with generic renderer RCE bugs
  • No public PoC found
  • Chrome restricted bug details, suggesting technical specifics are not broadly available yet
Detection/coverage: Little direct scanner coverage. Best detection is version inventory plus browser crash/anomaly telemetry and exploit protection events.
STEP 04

Convert browser foothold into usable impact

The attacker still needs the bug’s primitive to translate into something operationally meaningful on the endpoint. In real deployments, that usually means chaining onward to persistence, credential access, or broader host compromise, and those later stages are where EDR and OS controls often catch up.
Conditions required:
  • Attacker successfully weaponizes the FileSystem primitive
  • Endpoint protections fail to interrupt later actions
Where this breaks in practice:
  • Blast radius is generally the logged-in user’s browser session and whatever can be reached from it
  • EDR, application control, and OS privilege boundaries remain in the path
  • No evidence this bug alone provides full host takeover
Detection/coverage: Endpoint telemetry is stronger here than at the browser-bug stage: child process launches, abnormal file writes, token abuse, and suspicious browser ancestry are the signals to watch.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation evidence found from the sources reviewed; the user-supplied intel also says KEV listed: No.
KEV statusNot listed in CISA KEV as of the catalog state reviewed; that matters because Chrome chain bugs that are actually burning in the wild usually get attention fast.
PoC availabilityNo public PoC located. Chromium bug details remain restricted, so defenders should assume low public exploit transparency right now, not zero technical risk.
EPSS0.00021 per user-supplied intel, which is effectively background noise and fits the post-renderer-compromise profile.
CVSS interpretationCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N means network-reachable only through user browsing, no pre-auth, user interaction required, and integrity-focused impact rather than broad data theft or crash-heavy availability loss.
Affected versionsGoogle Chrome prior to 149.0.7827.53 on desktop per Google’s June 2, 2026 stable-channel release notes.
Fixed version149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows/Mac in the stable channel; for enterprise patching, treat 149.0.7827.53 as the minimum safe floor.
Researcher / reporting sourceGoogle’s stable-channel notes attribute CVE-2026-11078 to Eran Rom of Palo Alto Networks, reported on 2026-04-06.
Disclosure date2026-06-04 from the supplied intel block; Google’s stable desktop update was published on 2026-06-02, which is the patch-release anchor date defenders should use.
Scanning / exposure realityShodan/Censys/FOFA are mostly irrelevant here because Chrome desktop is not an internet-exposed service. Your exposure question is endpoint inventory and browser version compliance, not external attack-surface counts.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (4.6/10)

The single biggest severity suppressor is that this flaw appears to require prior renderer compromise, making it a chain component rather than a standalone intrusion path. That sharply narrows the reachable population and means the real attacker cost sits in acquiring or pairing a separate renderer exploit first.

HIGH Vendor patch level and affected version floor
MEDIUM Assessment that this is post-renderer-compromise and therefore materially less urgent than a standalone browser RCE
LOW Precise exploitation mechanics, because Chromium bug details are still restricted

Why this verdict

  • Major downward adjustment: requires prior renderer compromise. That implies the attacker is already past the hardest part of the browser kill chain, so CVE-2026-11078 is not your initial-access problem.
  • User interaction remains required. The victim still has to browse to attacker-controlled content, which keeps email/web filtering and user-targeting friction in play.
  • No KEV, no public exploit evidence, tiny EPSS. Without real-world burn signals, this does not justify emergency treatment across a 10,000-host fleet.
  • External scanner visibility is weak, but exposure is broad. Chrome is everywhere, so you should patch it — just via normal fast browser hygiene, not incident-mode escalation.

Why not higher?

It is not higher because the attack path is compound: malicious content delivery, then a separate renderer compromise, then this FileSystem flaw. Every one of those prerequisites cuts the reachable victim pool and makes the CVE less actionable on its own than the raw integrity impact suggests.

Why not lower?

It is not lower because Chrome is a massively deployed client platform, and second-stage browser bugs still matter when they can strengthen exploit chains. Even without public exploitation, browser fleet hygiene matters, and this is still a real security fix in a ubiquitous app used on practically every endpoint.

05 · Compensating Control

What to do — in priority order.

  1. Accelerate browser auto-update rings — Move Chrome to the front of your normal client-update cadence so vulnerable builds age out quickly. For a MEDIUM verdict there is no mitigation SLA, so use this as standard hygiene and complete remediation within the 365-day remediation window rather than treating it as a special emergency.
  2. Enforce enterprise Chrome version compliance — Use MDM, EDR, or software inventory to identify endpoints below 149.0.7827.53 and push them through your standard browser remediation workflow. With no mitigation SLA, this is mainly about shrinking lingering legacy versions and getting to the fixed build within the 365-day remediation window.
  3. Reduce risky browsing paths — Tighten web filtering, isolate unknown categories, and keep Safe Browsing or equivalent reputation controls enabled because the exploit chain still starts with hostile content delivery. This does not patch the bug, but it raises attacker cost while you remediate under the MEDIUM bucket’s no-mitigation-SLA model.
  4. Watch for browser-to-host post-exploitation — Tune EDR to flag suspicious browser child processes, script interpreters launched by Chrome ancestry, odd file writes from the browser, and token abuse. That matters because the highest-value detection point is usually after a browser exploit chain lands, not during the restricted Chromium bug itself.
What doesn't work
  • A network vulnerability scanner will not tell you much here, because this is not an internet-facing daemon with a handshake banner; it is a local browser version and exploit-chain problem.
  • MFA is irrelevant to the vulnerability mechanics; it may help elsewhere in the intrusion path but does not stop a browser renderer-to-FileSystem chain.
  • A generic WAF does not meaningfully protect desktop Chrome clients browsing the web, because the vulnerable code is on the endpoint, not on your server tier.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your fleet-management agent on Linux or macOS systems with Chrome/Chromium installed. Invoke it as bash check_chrome_cve_2026_11078.sh or push it remotely via your EDR/MDM shell runner; no root is required, but the script needs permission to execute the browser binary if present.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_chrome_cve_2026_11078.sh
# Detect whether local Chrome/Chromium is older than 149.0.7827.53.
# Outputs one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

MIN_VERSION="149.0.7827.53"
FOUND_VERSION=""
FOUND_BIN=""

candidates=(
  "google-chrome"
  "google-chrome-stable"
  "chromium"
  "chromium-browser"
  "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
  "/Applications/Chromium.app/Contents/MacOS/Chromium"
)

get_version() {
  local bin="$1"
  local out
  out="$($bin --version 2>/dev/null)" || return 1
  echo "$out" | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1
}

version_lt() {
  # returns 0 if $1 < $2
  local IFS=.
  local i
  local -a a=($1)
  local -a b=($2)

  for ((i=${#a[@]}; i<4; i++)); do a[i]=0; done
  for ((i=${#b[@]}; i<4; i++)); do b[i]=0; done

  for i in 0 1 2 3; do
    if ((10#${a[i]} < 10#${b[i]})); then
      return 0
    elif ((10#${a[i]} > 10#${b[i]})); then
      return 1
    fi
  done
  return 1
}

for bin in "${candidates[@]}"; do
  if command -v "$bin" >/dev/null 2>&1; then
    ver="$(get_version "$bin")"
    if [[ -n "$ver" ]]; then
      FOUND_VERSION="$ver"
      FOUND_BIN="$bin"
      break
    fi
  elif [[ -x "$bin" ]]; then
    ver="$(get_version "$bin")"
    if [[ -n "$ver" ]]; then
      FOUND_VERSION="$ver"
      FOUND_BIN="$bin"
      break
    fi
  fi
done

if [[ -z "$FOUND_VERSION" ]]; then
  echo "UNKNOWN - Chrome/Chromium not found or version unreadable"
  exit 2
fi

if version_lt "$FOUND_VERSION" "$MIN_VERSION"; then
  echo "VULNERABLE - $FOUND_BIN version $FOUND_VERSION is older than $MIN_VERSION"
  exit 1
else
  echo "PATCHED - $FOUND_BIN version $FOUND_VERSION meets or exceeds $MIN_VERSION"
  exit 0
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: inventory Chrome versions first, then let this ride through your standard browser update machinery rather than detonating an emergency CAB. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window — but because this is a ubiquitous browser component, you should still push 149.0.7827.53+ through normal endpoint update rings promptly and make completion tracking part of your noisgate remediation SLA reporting.

Sources

  1. Google Chrome Releases - Stable Channel Update for Desktop (June 2, 2026)
  2. Chromium issue tracker entry 499917177
  3. Chromium Security project page
  4. GovCERT.HK advisory for Chrome 149.0.7827.53
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS API
  7. CVE record
  8. NVD record
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.