CVE-2026-11079 · Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of

01 · The Real Story

This is a bad movie file in a locked room, not an exposed admin panel on the internet

CVE-2026-11079 is an input-validation flaw in Chrome's Codecs component affecting Google Chrome versions before 149.0.7827.53 on Linux and before 149.0.7827.53/54 on Windows and macOS. The attack path is straightforward at the browser layer: deliver crafted media through a web page, ad, or downloaded file, get the user to render it, and trigger faulty parsing in the codec stack. The public release note does not describe direct system-level RCE, and the user-supplied title is truncated, so the most defensible read is browser-process memory-safety impact rather than guaranteed host takeover.

The vendor-style 8.8/HIGH framing overstates what defenders should prioritize for enterprise patching. In the real world this is client-side, user-interaction-required, not internet-service-exposed, shows no KEV listing, and carries an extremely low EPSS; on top of that, Chromium's sandbox means a browser parser bug often needs a second vulnerability to become a machine-compromise event. That combination pushes this down from emergency patch queue material into normal-but-not-ignored browser hygiene.

"Big browser footprint, but this is still a user-driven client bug with no exploit signal and likely needs more than one bug to matter"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver crafted media through the browser

The attacker hosts or embeds a malformed media object using standard browser delivery paths: a web page, ad slot, social link, or downloaded file opened in Chrome. No credentials are needed; the weaponization is just content delivery plus a user visit. Tooling is trivial here: plain HTML plus a crafted video container is enough.

Conditions required:

Target uses Google Chrome below 149.0.7827.53
Target user browses to attacker-controlled or attacker-influenced content
The page or file causes Chrome to invoke the vulnerable codec path

Where this breaks in practice:

Requires UI:R — somebody must load the page or file
Enterprise web filtering, safe browsing, and ad blocking cut down first-touch delivery
Managed Chrome fleets often auto-update quickly, shrinking the vulnerable population

Detection/coverage: Version scanners can identify outdated Chrome, but network scanners do not meaningfully detect this because it is not a listening service.

STEP 02

Trigger the codec parser flaw

When Chrome decodes the malicious media, the vulnerable Codecs logic mishandles untrusted fields and hits the memory-safety condition. Public details are sparse because bug links are commonly restricted until rollout matures, so reliable exploit mechanics are not public. The practical toolset is private exploit dev or fuzzing-derived test cases, not a widely shared kit.

Conditions required:

The crafted media reaches the specific vulnerable codec code path
The malformed fields survive transit and browser normalization
The target build matches an affected version

Where this breaks in practice:

No public PoC or weaponized exploit reference was found
Codec bugs can be crashy and unstable before they become exploitably deterministic
Browser hardening features may turn some attempts into a crash instead of a controllable primitive

Detection/coverage: EDR may only see a chrome crash or abnormal child process termination; generic vuln scanners usually stop at version detection.

STEP 03

Gain browser-process impact

Best case for the attacker is controlled memory corruption or out-of-bounds access inside the browser or renderer context, leading to data exposure, process compromise, or denial of service. That is serious, but it is still browser-process impact until proven otherwise. This is the point where many vendor CVSS scores jump to worst-case CIA values, even though enterprise defenders care about how often that translates into real host compromise.

Conditions required:

The memory corruption is exploitable rather than merely crash-inducing
The browser process has access to data worth stealing or a path to a second-stage exploit

Where this breaks in practice:

Public advisories do not establish reliable code execution on the endpoint
Single-tab or single-process impact can limit blast radius
Modern browser mitigations make post-corruption control materially harder than the CVSS suggests

Detection/coverage: Browser crash telemetry, Windows Event Logs, macOS crash reports, or Linux core/crash handlers can show symptomatic failures but not prove exploitation.

STEP 04

Chain to host compromise if available

To move from a browser parser bug to durable endpoint compromise, the attacker typically needs a second bug or a permissive local execution path. Chromium's own security model assumes memory-safety bugs exist and uses sandboxing to contain them. That means the highest-impact outcome is often conditional on another vulnerability, which is exactly why this should not be treated like an unauthenticated edge RCE.

Conditions required:

A usable sandbox escape, privilege escalation, or local execution path exists
The attacker can reliably chain the browser bug with that second stage

Where this breaks in practice:

Requires post-exploitation chaining beyond the published issue
EDR and application control are more likely to trip on the second stage than on the initial parser bug
No evidence was found that such a chain is public or active for this CVE

Detection/coverage: Second-stage activity is more likely to be visible than the initial browser bug: child-process abuse, suspicious file drops, token theft, or sandbox escape behavior.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed in-the-wild exploitation found in the sources reviewed; not KEV-listed as of the current CISA KEV catalog.
Proof-of-concept availability	No public PoC or Metasploit-style module was found in primary-source review. Chrome notes that bug details may stay restricted until most users are updated in the stable release advisory.
EPSS	User-supplied EPSS is `0.00047` (~`0.047%`), which is very low. FIRST documents EPSS as a daily exploitation-probability estimate in the API/docs and data reference.
KEV status	Not present in the Known Exploited Vulnerabilities Catalog; no CISA due date applies.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` from the provided intel. Translation: easy remote delivery, but user interaction is required, which is meaningful downward pressure for patch priority.
Affected versions	Google's June 2, 2026 desktop stable release says fixes land in `149.0.7827.53` for Linux and `149.0.7827.53/54` for Windows/Mac; therefore earlier versions are affected per the Chrome release note and Canadian advisory.
Fixed versions	Upgrade to `149.0.7827.53` or later on Linux, and `149.0.7827.53/54` or later on Windows/macOS. Chrome is generally self-updating rather than distro-backported in the traditional server-package sense.
Exposure/scanning reality	No meaningful Shodan/Censys/FOFA-style population metric applies here because Chrome desktop is client software, not a remotely fingerprinted listening service. Censys' own CVE-risk docs focus on software detected in exposed attack-surface telemetry, which is the wrong exposure model for browser clients: see Censys CVE Risks FAQ.
Disclosure timeline	Disclosed `2026-06-04` in the supplied intel; the corresponding Chrome 149 stable rollout was published on June 2, 2026 in the desktop stable update.
Reporter / source quality	Chrome release notes attribute this issue to Google and note it was reported on `2026-04-06`. That is a strong signal this was internally found, not externally weaponized first.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.8/10)

The decisive factor is that this is a user-driven browser client bug, not an exposed server-side foothold. With no KEV listing, no public exploit signal, and Chrome sandboxing likely forcing a second-stage chain for host compromise, the enterprise urgency is materially below a typical 8.8/HIGH network bug.

HIGH Exposure model is materially narrower than an internet-facing server CVE

MEDIUM Direct technical impact, because the public title/description is truncated and bug details remain sparse

HIGH No current exploitation signal in reviewed public sources

Why this verdict

Start at 8.8, then cut for UI requirement: UI:R means the attacker still needs the user to render malicious media. That is a real filter in managed fleets and not just CVSS bookkeeping.
Cut again for attacker position: this is remote delivery to a browser client, not unauthenticated reachability to an enterprise service. It does not imply pre-auth compromise of a server or edge device.
Cut for exposure population: Chrome is ubiquitous, but vulnerable instances are not internet-enumerable in the way Shodan/Censys populations are. That keeps mass opportunistic exploitation less attractive than exposed edge software.
Cut for chain requirement: Chromium's sandbox architecture means a codec parser bug often yields browser-process impact first, with host compromise needing an additional escape or second bug.
Cut for threat intel: EPSS is very low, no KEV listing is present, and no public PoC/weaponized tooling was found. Attackers have many cheaper edge targets.

Why not higher?

If this were an unauthenticated server-side parser bug or if there were active exploitation evidence, this would climb fast. But the real-world chain here starts with a user visit and likely stops at browser-process impact unless the attacker has another reliable bug to chain.

Why not lower?

Browsers are everywhere, and malicious media delivery through normal web browsing is easy. Even without exploit evidence, a codec flaw in a heavily used client application is still worth fixing because the reachable population is huge and drive-by delivery is practical.

05 · Compensating Control

What to do — in priority order.

Enforce Chrome auto-update — Make sure enterprise policy does not defer or block Stable updates, because this class of browser bug is best neutralized by shrinking version lag. For a MEDIUM noisgate verdict there is no mitigation SLA; use this as normal browser-baseline hygiene while you drive remediation inside the 365-day window.
Block unmanaged browser builds — Use EDR, MDM, or software inventory policy to detect and remove stale standalone Chrome installs that sit outside your normal updater path. Again, there is no mitigation SLA for MEDIUM; do this during routine compliance cleanup rather than incident footing.
Reduce risky content paths — Keep Safe Browsing, web filtering, ad/tracker blocking, and mail-link protections enabled to lower first-touch delivery of malicious media. These controls reduce exposure now, but they are support controls, not substitutes for the fixed browser version.
Watch for browser crash clusters — Aggregate chrome crash telemetry and sudden spikes in browser faults on vulnerable builds; parser-bug exploitation often looks like instability before it looks like confirmed compromise. No mitigation SLA applies here either, so fold this into ongoing endpoint telemetry review.

What doesn't work

Perimeter vulnerability scanning doesn't help much because this is not an exposed network service.
Network segmentation is mostly irrelevant; the delivery vector is normal user web browsing, not east-west service reachability.
MFA does nothing for the initial trigger path because the attacker is exploiting media parsing, not logging in.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your endpoint management agent. Invoke it with python3 check_chrome_cve_2026_11079.py or python check_chrome_cve_2026_11079.py --path "C:\Program Files\Google\Chrome\Application\chrome.exe"; no admin rights are normally required unless your EDR blocks process version queries.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_chrome_cve_2026_11079.py
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys

THRESHOLD = (149, 0, 7827, 53)


def parse_ver(text):
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text or '')
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def cmp_ver(a, b):
    return (a > b) - (a < b)


def get_version_from_exec(path):
    try:
        out = subprocess.check_output([path, '--version'], stderr=subprocess.STDOUT, text=True, timeout=5)
        return parse_ver(out)
    except Exception:
        return None


def candidate_paths():
    paths = []
    system = platform.system().lower()

    if system == 'windows':
        envs = [
            os.environ.get('ProgramFiles'),
            os.environ.get('ProgramFiles(x86)'),
            os.environ.get('LocalAppData')
        ]
        suffixes = [
            r'Google\Chrome\Application\chrome.exe'
        ]
        for base in envs:
            if base:
                for suffix in suffixes:
                    paths.append(os.path.join(base, suffix))
    elif system == 'darwin':
        paths.extend([
            '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
            os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome')
        ])
    else:
        for name in ['google-chrome', 'google-chrome-stable', 'chrome']:
            found = shutil.which(name)
            if found:
                paths.append(found)
        paths.extend([
            '/opt/google/chrome/chrome',
            '/usr/bin/google-chrome',
            '/usr/bin/google-chrome-stable'
        ])

    deduped = []
    seen = set()
    for p in paths:
        if p and p not in seen:
            seen.add(p)
            deduped.append(p)
    return deduped


def main():
    arg_path = None
    if len(sys.argv) >= 3 and sys.argv[1] == '--path':
        arg_path = sys.argv[2]

    paths = [arg_path] if arg_path else candidate_paths()

    found_any = False
    for path in paths:
        if not path or not os.path.exists(path):
            continue
        found_any = True
        ver = get_version_from_exec(path)
        if ver is None:
            continue

        version_str = '.'.join(map(str, ver))
        if cmp_ver(ver, THRESHOLD) >= 0:
            print(f'PATCHED: {path} -> {version_str}')
            sys.exit(0)
        else:
            print(f'VULNERABLE: {path} -> {version_str} < 149.0.7827.53')
            sys.exit(1)

    if found_any:
        print('UNKNOWN: Chrome executable found but version could not be determined')
    else:
        print('UNKNOWN: Google Chrome not found in standard locations')
    sys.exit(2)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull an inventory of Chrome versions across managed endpoints and identify anything below 149.0.7827.53/149.0.7827.54; this is a browser-baseline cleanup job, not an incident bridge. For this MEDIUM verdict there is noisgate mitigation SLA — no mitigation SLA — go straight to the 365-day remediation window — but because browser auto-update makes this cheap to close, you should fold it into your next normal browser compliance wave and make sure all stragglers are patched inside the noisgate remediation SLA of <= 365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.