CVE-2026-11112 · Insufficient validation of untrusted input in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who had

01 · The Real Story

This is the second lock on the vault, not the front door

CVE-2026-11112 affects Google Chrome on Linux before 149.0.7827.53. The published CVE record says insufficient validation of untrusted input in Chromoting can let a remote attacker who has already compromised the renderer process potentially turn that foothold into a sandbox escape via a crafted Chrome Extension. That is an important distinction: this bug does not give an attacker first-hop code execution by itself; it is a post-compromise browser-escape primitive.

The supplied 9.6/CRITICAL rating overstates reality for enterprise prioritization. Google’s own June 2, 2026 Chrome stable advisory labels CVE-2026-11112 as Medium, and that tracks the real attack path much better because the decisive friction is the required prior renderer compromise, with extra narrowing from Linux-only scope and the crafted-extension condition. In practice this is a chain-enabler for targeted exploitation, not a fleet-wide emergency.

"Treat this as a Linux Chrome sandbox-escape component, not a stand-alone internet-to-host critical."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land a renderer foothold first

The attacker needs a separate bug, exploit chain, or malicious browser content that already compromises Chrome's renderer process. CVE-2026-11112 does not provide this first-stage access; it only matters after the renderer is under attacker control. Weaponized tool in this step is effectively a separate private renderer exploit, not this CVE.

Conditions required:

Victim is using vulnerable Google Chrome on Linux
Attacker can reach the victim with web content or another browser-delivered payload
A separate renderer-compromise bug or equivalent foothold exists

Where this breaks in practice:

This is a post-initial-compromise prerequisite
Modern Chrome exploit chains usually burn multiple bugs, not one
EDR, browser hardening, Safe Browsing, and exploit mitigations can stop or crash the first-stage exploit

Detection/coverage: Vulnerability scanners will not see this prerequisite. Detection is mostly indirect: browser crash telemetry, exploit-prevention alerts, or EDR signals on unusual Chrome behavior.

STEP 02

Trigger the Chromoting validation flaw

With renderer control, the attacker then uses a crafted Chrome Extension to drive the Chromoting code path described in the CVE record. The vulnerable validation boundary is between untrusted renderer-controlled input and a more privileged component. Weaponized tool in this step is the crafted extension payload referenced by the CVE summary.

Conditions required:

Renderer process already compromised
Extension delivery or extension-like execution path is available
Target is Linux specifically

Where this breaks in practice:

The crafted-extension requirement is materially narrower than a plain malicious webpage
Enterprise extension allowlists and managed-browser policies reduce reachable targets
Linux-only scope shrinks population versus cross-platform Chrome bugs

Detection/coverage: Look for unauthorized extension installs, sideloading attempts, policy bypasses, and extension IDs not present in the approved catalog. Version-only scanners can flag vulnerable builds but cannot validate exploit reachability.

STEP 03

Convert renderer control into sandbox escape

If the validation weakness is hit successfully, the attacker may escape the browser sandbox and gain execution in a more privileged host context than the renderer. That is strategically valuable because it breaks Chrome's main containment boundary. Weaponized tool here is the Chromoting sandbox-escape primitive itself.

Conditions required:

Vulnerable Chromoting code path reachable on Linux
Exploit chain is stable enough to cross from renderer to host context

Where this breaks in practice:

No public proof-of-concept was found
Google restricted issue details until patch adoption, which typically slows copycat weaponization
Sandbox-escape reliability is often brittle across distro, kernel, and desktop variations

Detection/coverage: Behavioral detection is better than signatures: Chrome spawning unexpected child processes, suspicious IPC, writes outside normal profile paths, or EDR containment events.

STEP 04

Post-escape host actions

After escape, the attacker still lands in the permissions of the logged-in user unless they chain onward to OS privilege escalation. The likely value is credential theft, local persistence, data access, or staging another Linux local-privilege-escalation bug. Weaponized tooling after this step is standard post-exploitation tradecraft, not something unique to this CVE.

Conditions required:

Successful sandbox escape
Useful data or follow-on privileges available on the endpoint

Where this breaks in practice:

Blast radius is one endpoint and one user context at a time
Linux privilege separation, EDR, and MFA still limit downstream impact
A separate LPE is needed for root-level takeover

Detection/coverage: EDR should see the loud part here: credential store access, persistence creation, shell execution, or lateral movement from the host.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found in the sources reviewed, and not listed in CISA KEV.
Proof-of-concept availability	No public PoC located. Chromium issue details are restricted, which is normal early in the patch cycle and raises attacker effort.
EPSS	0.00047 (~0.047%) from the user-supplied intel. That is a very low exploitation-likelihood signal and supports a downgrade from panic-level handling.
KEV status	Not in KEV as of this assessment. That matters because KEV absence plus no exploitation reporting removes the strongest urgency amplifier.
Vendor severity mismatch	The user-supplied 9.6/CRITICAL CVSS conflicts with Google's own advisory, which labels CVE-2026-11112 as Medium on June 2, 2026. That mismatch is the whole story here: generic CVSS overweights impact while hiding the prior renderer-compromise prerequisite.
CVSS vector reality check	Supplied vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H`. In practice the missing friction is 'attacker already owns the renderer', which makes this a second-stage exploit component, not a clean network-origin browser break.
Affected versions	Google Chrome on Linux prior to 149.0.7827.53.
Fixed versions	149.0.7827.53 for Linux per Google's stable-channel release on June 2, 2026. For this CVE, think Google Chrome packages, not distro Chromium backports.
Exposure/scanning reality	This is endpoint software, not an internet-facing service. Shodan/Censys-style census data is not the right lens; coverage comes from endpoint inventory, package/version telemetry, EDR, and browser management, not perimeter scanning.
Disclosure and reporting	Published 2026-06-04 in cvelistv5/CVE mirrors; Google’s release notes say it was reported by Google on 2026-04-08.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.8/10)

The single biggest downward driver is that exploitation requires prior renderer compromise, which means this is not an initial-access bug but a chain component. Linux-only scope and the crafted-extension condition narrow the exposed population further, keeping this out of HIGH despite the sandbox-escape impact.

HIGH Affected version range and fixed version

HIGH No known active exploitation / not KEV-listed

MEDIUM Exploit-path specifics, because Chromium issue details are still restricted

Why this verdict

Start from Google's baseline, not the inflated 9.6: the official Chrome stable advisory classifies CVE-2026-11112 as Medium, which is more credible than a generic external CVSS score for a chained browser bug.
Major downward adjustment for attacker position: the attacker must already have compromised the renderer process. That implies a prior exploit stage, so this is post-initial-access within the browser trust model.
Further downward adjustment for population reach: this is Linux-only and references a crafted Chrome Extension, both of which materially reduce how many enterprise endpoints can be reached in real deployments.
No urgency amplifier: no KEV listing, no public PoC found, and the supplied EPSS 0.00047 is extremely low.
Not lower than MEDIUM because sandbox escape still matters: if an attacker already has a renderer foothold, escaping Chrome's sandbox is a meaningful step-up in real intrusion chains.

Why not higher?

If this were a direct webpage-to-host break with no prior compromise requirement, HIGH or CRITICAL would be justified. But the published description explicitly says the attacker must have already compromised the renderer, which sharply limits reachable victims and makes this a specialist exploit-chain component rather than a fleet-wide emergency.

Why not lower?

Sandbox escapes are strategically important because they defeat one of Chrome's core security boundaries. For high-value users on Linux, a private renderer exploit chained with this bug could still produce a serious endpoint compromise, so dismissing it as LOW would understate the risk.

05 · Compensating Control

What to do — in priority order.

Block unapproved extensions — Enforce Chrome enterprise policies that only allow sanctioned extensions and block sideloading or user-installed exceptions. Because this is a MEDIUM finding, there is no mitigation SLA — go straight to the 365-day remediation window, but this control is still the best way to reduce the specific exploit path while patching rolls through normal browser update rings.
Prioritize Linux browser inventory — Split Linux Chrome assets from Windows/macOS in your inventory and identify endpoints below 149.0.7827.53. There is no mitigation SLA — go straight to the 365-day remediation window for this severity, but you should know exactly which developer, admin, and internet-facing user populations are carrying the exposure.
Watch for Chrome child-process abuse — Tune EDR and behavioral analytics for Chrome spawning shells, script interpreters, package tools, or unexpected helpers on Linux. This will not prevent exploitation, but it gives you a practical backstop against the post-sandbox-escape phase during the normal remediation window.
Keep browser auto-update healthy — Validate that managed Linux systems can actually pull Chrome stable updates from your repo or vendor channel and are not pinned below 149.0.7827.53. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, so the operational priority is preventing stranded versions.

What doesn't work

A perimeter scanner will not help much here because Chrome is not an internet-facing service and the real risk lives on endpoints.
A WAF or reverse proxy does nothing for the core exploit path because the vulnerable component is a local browser on the client side.
Relying on CVSS alone does not work here; it misses the decisive real-world friction that the attacker must already control the renderer process.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux endpoint or through your fleet-management agent as a standard user; root is not required unless your environment restricts package queries. Save as check_cve_2026_11112.sh and run bash check_cve_2026_11112.sh; it checks installed Google Chrome version and returns VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_11112.sh
# Detects whether Google Chrome on Linux is below 149.0.7827.53
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / not applicable / unable to determine

set -u

FIXED_VERSION="149.0.7827.53"
VERSION=""
SOURCE=""

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

extract_version() {
  echo "$1" | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1
}

# Try executable paths first
for bin in google-chrome google-chrome-stable /opt/google/chrome/google-chrome; do
  if command -v "$bin" >/dev/null 2>&1; then
    OUT="$($bin --version 2>/dev/null || true)"
    VERSION="$(extract_version "$OUT")"
    SOURCE="$bin --version"
    [ -n "$VERSION" ] && break
  fi
done

# Try dpkg if still unknown
if [ -z "$VERSION" ] && command -v dpkg-query >/dev/null 2>&1; then
  OUT="$(dpkg-query -W -f='${Version}\n' google-chrome-stable 2>/dev/null || true)"
  VERSION="$(extract_version "$OUT")"
  SOURCE="dpkg-query google-chrome-stable"
fi

# Try rpm if still unknown
if [ -z "$VERSION" ] && command -v rpm >/dev/null 2>&1; then
  OUT="$(rpm -q --qf '%{VERSION}-%{RELEASE}\n' google-chrome-stable 2>/dev/null || true)"
  VERSION="$(extract_version "$OUT")"
  SOURCE="rpm -q google-chrome-stable"
fi

if [ -z "$VERSION" ]; then
  echo "UNKNOWN: Google Chrome on Linux not found or version could not be determined"
  exit 2
fi

if ver_lt "$VERSION" "$FIXED_VERSION"; then
  echo "VULNERABLE: Google Chrome version $VERSION is below fixed version $FIXED_VERSION ($SOURCE)"
  exit 1
else
  echo "PATCHED: Google Chrome version $VERSION is at or above fixed version $FIXED_VERSION ($SOURCE)"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not let the scary 9.6 number pull this ahead of your real internet-to-root problems. Treat CVE-2026-11112 as a Linux-only Chrome sandbox-escape chain component: confirm which Linux endpoints run Google Chrome, verify they are below 149.0.7827.53, keep extension controls tight, and patch through your normal browser ring. Because the reassessed verdict is MEDIUM and there is no active exploitation evidence, there is noisgate mitigation SLA — go straight to the 365-day remediation window; complete the actual Chrome update to 149.0.7827.53+ within the noisgate remediation SLA of 365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.