← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11103 · CWE-269 · Disclosed 2026-06-04

Inappropriate implementation in Installer in Google Chrome on Windows prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a spare key hidden under the mat, not a burglar kicking in the front door

CVE-2026-11103 is a Windows-only Google Chrome Installer flaw affecting versions prior to 149.0.7827.53. The bug lets a local attacker use a malicious file to cross an OS privilege boundary, so the end state is meaningful: code that started at normal user level may end up with elevated rights on the host.

The vendor-style HIGH/7.3 label overstates patch urgency for enterprise triage because the attacker does not get in from the network. They need a local foothold, a logged-in user context, and user interaction with a malicious file first. That makes this a post-initial-access privilege-escalation assist, not an internet-exposed emergency, so the operational severity drops to MEDIUM even though the technical impact is serious when it lands.

"Real privilege-escalation impact, but it is still a post-compromise Windows installer bug with thin exploitation evidence"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land on the endpoint first

The attacker needs code execution or at least an authenticated user session on a Windows machine that has vulnerable Chrome installed. In practice this usually means phishing, a separate malware loader, stolen credentials, or hands-on-keyboard access already succeeded. Tooling here is a commodity loader or phish-delivered dropper, not a Chrome-only exploit.
Conditions required:
  • Windows endpoint
  • Chrome installed below 149.0.7827.53
  • Attacker has local standard-user execution or a user account
Where this breaks in practice:
  • This is not reachable from the internet
  • Email gateway, web filtering, SmartScreen, and EDR should stop many initial payloads before this CVE matters
  • If the attacker already has local execution, they often have multiple other privesc options
Detection/coverage: EDR and email/web security have the best chance to break the chain here. Vulnerability scanners can identify old Chrome versions, but they cannot infer whether an attacker already has the needed foothold.
STEP 02

Deliver the malicious file trigger

Exploitation requires a malicious file and UI:R, which means the victim has to open, run, or otherwise interact with attacker-controlled content. The weaponized tool is effectively a custom trigger file plus launcher, and as of this review no public GitHub PoC is established. This is a narrower path than a silent memory-corruption bug in the browser renderer.
Conditions required:
  • User interaction with attacker-supplied file
  • Ability to place or download file onto disk
Where this breaks in practice:
  • Mark-of-the-Web, SmartScreen, attachment controls, and browser download protections add real drag
  • Users must still execute or interact with the file path that reaches the vulnerable installer behavior
Detection/coverage: Look for Chrome-related installer/update activity immediately after a download, archive extraction, or script launcher from user-writable paths such as Downloads, %TEMP%, or %LOCALAPPDATA%.
STEP 03

Abuse the installer privilege boundary

The bug sits in Installer on Windows, so the exploit attempts to make privileged installer logic do something it should not. The weaponized component is a custom local privesc chain against Chrome Installer; Google has not published exploit details and the referenced Chromium issue remains restricted. Successful exploitation would cross from user context toward elevated OS context.
Conditions required:
  • Vulnerable Chrome version
  • Windows installer path present and reachable
  • Exploit compatible with the target's local configuration
Where this breaks in practice:
  • Restricted bug details make exploit engineering harder for opportunistic actors
  • Installer-context flaws are often sensitive to path, ACL, race, or environment assumptions that break on real fleets
  • Some estates rely on managed enterprise installs that reduce odd installer invocation patterns
Detection/coverage: Authenticated host scanners have good coverage for version detection. Behavioral detection is weaker because exploit specifics are not public; watch for abnormal child processes or file operations from Chrome installer/update components.
STEP 04

Cash out with elevated execution

If exploitation succeeds, the attacker can run follow-on actions with higher OS privileges: disable protections, dump secrets, install persistence, or pivot deeper on the host. The tool at this stage is whatever post-exploitation framework the actor already carries, from a commodity RAT to a living-off-the-land PowerShell chain.
Conditions required:
  • Exploit completes reliably
  • Elevated token or privileged process is obtained
Where this breaks in practice:
  • EDR tamper protection, WDAC/AppLocker, and least-privilege controls can still limit what the attacker does next
  • A local privesc only expands impact on that host; it does not automatically become domain-wide compromise
Detection/coverage: Watch for new privileged child processes from Chrome/Google Update components, service creation, scheduled tasks, token manipulation, or unusual writes into protected directories/registry hives.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo current public exploitation evidence in this review. CISA KEV does not list the CVE, and the CVE enrichment visible via CIRCL shows Exploitation: none.
Proof-of-concept availabilityNo public GitHub PoC established from the sources reviewed. The Chromium bug reference exists, but details appear restricted.
EPSS0.00008 from the user-supplied intel block — effectively very low predicted near-term exploitation. Percentile was not authoritatively verified in this review, so do not overfit on an inferred rank.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities Catalog as of this assessment.
CVSS vectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H — that is a local, authenticated, user-assisted privesc with high impact on success, which is exactly why raw CVSS overstates urgency for fleet patch queues.
Affected versionsGoogle Chrome on Windows prior to 149.0.7827.53. The June 2, 2026 Stable release notes show 149.0.7827.53/54 for Windows/Mac and 149.0.7827.53 for Linux, but this CVE is Windows-specific.
Fixed versionPatch level: 149.0.7827.53 or later on Windows. Enterprise estates pinned below that build remain exposed until the pin is lifted or the baseline is advanced.
Scanning / exposure dataInternet exposure is not the story. This is a local installer flaw, so Shodan/Censys/FOFA-style internet census data is largely irrelevant; the useful exposure metric is simply how many Windows endpoints still run Chrome below the fixed version.
Disclosure timelineStable release published 2026-06-02; CVE publication in the Chrome/CVE ecosystem shows 2026-06-04. Google also pushed an early stable build to a small percentage of users on 2026-05-29.
Reporter / bug classChrome release notes mark the issue as reported by Google on 2026-04-07 and label it Chromium security severity: Medium, even though the supplied CVSS baseline is 7.3 High.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.6/10)

The decisive downward pressure is attacker position: this starts only after the adversary already has a local foothold or a user willing to run a malicious file on a Windows host. That makes it a post-compromise privilege-escalation enabler rather than an initial-access event, despite the fact that successful exploitation can yield serious OS-level impact.

HIGH Attack preconditions materially reduce enterprise-wide urgency
MEDIUM Exact exploit reliability in the wild, because bug details remain restricted

Why this verdict

  • Down from 7.3 because attacker position is already inside the hostAV:L + PR:L means the adversary needs local execution or a valid user context first, which implies prior compromise or insider access
  • Another notch down because user interaction is requiredUI:R plus a malicious file means this is not a silent drive-by or wormable browser bug
  • Narrower reachable population than generic Chrome RCE — Windows-only installer path, not Linux/macOS/Android, and only endpoints still below 149.0.7827.53 are in play
  • Threat intel is cold — no KEV listing, no public exploitation evidence surfaced here, no confirmed public PoC, and EPSS is extremely low
  • But not low/ignore — Chrome is ubiquitous, and local privesc on a browser-heavy Windows fleet still meaningfully amplifies commodity malware once it gets a foothold

Why not higher?

This is not remotely reachable and does not give an attacker a beachhead by itself. Modern enterprise controls should block many chains before the malicious file ever reaches a vulnerable installer path, and even after initial access the exploit still has to work reliably on the endpoint.

Why not lower?

Privilege escalation still matters because it converts cheap user-level access into something with much higher host impact. On a large Windows estate, even a medium-confidence local privesc in a ubiquitous product can materially improve attacker survivability and follow-on abuse once another entry vector succeeds.

05 · Compensating Control

What to do — in priority order.

  1. Block execution from user-writable paths — Use WDAC, AppLocker, or SRP to prevent executables, scripts, and MSI-like launch paths from Downloads, %TEMP%, %APPDATA%, and other user-writable locations. This directly attacks the malicious-file prerequisite and is worth doing now; for a MEDIUM finding there is no noisgate mitigation SLA — go straight to the 365-day remediation window, but this hardening should still be standard baseline hygiene.
  2. Keep Chrome auto-update enabled — Review Chrome Enterprise update policy and remove version pins or disabled-update settings that strand devices below 149.0.7827.53. Google recommends automatic updates; for this MEDIUM verdict there is no mitigation SLA, so use normal change control while making sure the estate naturally converges on the fixed build well inside the remediation window.
  3. Alert on abnormal Chrome installer activity — Create EDR detections for Chrome or Google Update installer components spawning shells, script hosts, LOLBINs, or writing into protected locations. This does not replace patching, but it raises the cost of using the bug for local privesc while vulnerable versions still exist.
  4. Reduce standing local admin and installer abuse paths — Enforce least privilege, tighten software installation rights, and review installer-related allow rules that give normal users too much leverage. That limits the blast radius if an attacker tries to turn a user-context foothold into elevated execution through any local installer bug, not just this one.
What doesn't work
  • A WAF or perimeter IPS does not help; this is a local installer bug, not a network-facing exploit path
  • MFA is not a direct control for this CVE once an attacker already has local execution on the endpoint
  • External attack-surface scanning is mostly noise here because Shodan/Censys-style internet discovery cannot tell you whether the vulnerable local installer path is present or reachable
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint or through your RMM/EDR live response console. Invoke it with powershell.exe -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-11103.ps1; standard user rights are usually enough to read file versions, but admin rights help if you want complete visibility into all install locations. The script reports VULNERABLE, PATCHED, or UNKNOWN based on installed Chrome version compared with the fixed build 149.0.7827.53.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
#requires -version 5.1
<#
check-chrome-cve-2026-11103.ps1
Purpose: Detect likely exposure to CVE-2026-11103 by checking installed Google Chrome
         versions on Windows against fixed version 149.0.7827.53.
Output : VULNERABLE / PATCHED / UNKNOWN
Exit codes:
  0 = PATCHED
  1 = VULNERABLE
  2 = UNKNOWN
#>

$ErrorActionPreference = 'SilentlyContinue'
$FixedVersion = [version]'149.0.7827.53'
$Found = @()

function Get-VersionObject {
    param([string]$VersionString)
    if ([string]::IsNullOrWhiteSpace($VersionString)) { return $null }
    $clean = ($VersionString -replace '[^0-9\.]', '').Trim('.')
    try { return [version]$clean } catch { return $null }
}

function Add-Candidate {
    param([string]$Path)
    if (-not [string]::IsNullOrWhiteSpace($Path) -and (Test-Path $Path)) {
        $item = Get-Item $Path
        $ver  = Get-VersionObject $item.VersionInfo.ProductVersion
        if (-not $ver) { $ver = Get-VersionObject $item.VersionInfo.FileVersion }
        if ($ver) {
            $Found += [pscustomobject]@{
                Path    = $Path
                Version = $ver
            }
        }
    }
}

# Common install locations
$Candidates = @(
    "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
    "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
    "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
)

foreach ($c in $Candidates) { Add-Candidate -Path $c }

# App Paths registry
$appPathKeys = @(
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'
)
foreach ($key in $appPathKeys) {
    $defaultPath = (Get-ItemProperty -Path $key).'(default)'
    if (-not $defaultPath) { $defaultPath = (Get-Item -Path $key).GetValue('') }
    Add-Candidate -Path $defaultPath
}

# Deduplicate by path
$Found = $Found | Sort-Object Path -Unique

if (-not $Found -or $Found.Count -eq 0) {
    Write-Output 'UNKNOWN - Google Chrome not found in standard locations'
    exit 2
}

$Vulnerable = $Found | Where-Object { $_.Version -lt $FixedVersion }

if ($Vulnerable) {
    $details = ($Vulnerable | ForEach-Object { "$($_.Path) [$($_.Version)]" }) -join '; '
    Write-Output "VULNERABLE - Found Chrome version(s) below $FixedVersion : $details"
    exit 1
}
else {
    $details = ($Found | ForEach-Object { "$($_.Path) [$($_.Version)]" }) -join '; '
    Write-Output "PATCHED - All discovered Chrome version(s) are >= $FixedVersion : $details"
    exit 0
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: treat this as fleet hygiene with teeth, not a fire drill. Query your Windows estate for Chrome versions below 149.0.7827.53, remove any enterprise version pins or disabled-update policies, and fold remaining laggards into your normal browser patch wave. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; your noisgate remediation SLA is ≤365 days for the actual vendor patch, but most mature shops should clear browser stragglers far sooner because the same old endpoints usually also carry other post-compromise risk.

Sources

  1. Google Chrome Releases - Stable Channel Update for Desktop (June 2, 2026)
  2. Google Chrome Releases - Early Stable Update for Desktop (May 29, 2026)
  3. Chromium issue reference 500483038
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS overview
  6. Chrome Enterprise - Manage Chrome updates
  7. Chrome Enterprise - Manage Chrome updates (Windows)
  8. Google Chrome Help - Update Google Chrome
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.