CVE-2026-11117 · Use after free in Views in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted

01 · The Real Story

This is a spring-loaded trap in the browser UI, not a worm in your DMZ

CVE-2026-11117 is a Windows-only use-after-free in Chrome's Views UI layer. Affected builds are Google Chrome on Windows before 149.0.7827.53; Google released Chrome 149 stable on 2026-06-02, and the CVE was published on 2026-06-04. The bug can be triggered by a crafted HTML page and the CVE text says it may allow arbitrary code execution.

The vendor CVSS 8.8/HIGH is technically defensible in a vacuum, but it overstates operational urgency for enterprise patch triage. The attack still requires a user to be lured into rendering attacker content in Chrome, there is no KEV listing, the CVE record's SSVC says Exploitation: none / Automatable: no, EPSS is extremely low, and Chromium itself labeled the underlying bug Medium. For a team juggling 10,000 endpoints, this is real but it is not the fire that pre-auth edge RCEs are.

"Patch it, but don't let a browser bug with mandatory user clicks outrank exposed server RCEs."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on attacker HTML

The attacker needs Chrome on Windows to load a crafted page that exercises the vulnerable Views code path. In practice this means phishing, malvertising, poisoned search results, or a compromised site rather than unauthenticated internet-wide exploitation.

Conditions required:

Target uses Google Chrome on Windows
Installed version is lower than 149.0.7827.53
User visits attacker-controlled or attacker-influenced web content

Where this breaks in practice:

Requires user interaction (UI:R) rather than blind network reachability
Enterprise web filtering, safe browsing, mail gateways, and browser isolation can break delivery before the bug is hit
Windows-only scope excludes macOS/Linux Chrome fleets

Detection/coverage: Exposure scanners can inventory version, but they will not prove exploitability of this code path. URL filtering, secure web gateways, and browser telemetry are more useful than perimeter vuln scans here.

STEP 02

Trigger the UAF in Views

The crafted page must push Chrome into a use-after-free condition inside the UI framework. That is the weaponization step: turning memory corruption into a reliable primitive on the victim's specific Chrome/Windows build.

Conditions required:

A working exploit that reaches the vulnerable object lifecycle
Target runtime behavior matches the exploit's assumptions

Where this breaks in practice:

Use-after-free bugs are not automatically reliable RCEs
Chromium bug details are still restricted, which usually slows public weaponization
Modern hardening, allocator behavior, and exploit mitigations raise attacker engineering cost

Detection/coverage: Commodity scanners do not see this. Crashes may surface in browser crash telemetry or EDR as unstable exploit attempts, but successful exploitation may be quiet.

STEP 03

Convert corruption into code execution

If the attacker gets stable control of memory, they attempt arbitrary code execution in the browser context. The CVE description says 'execute arbitrary code' but does not explicitly say sandbox escape, so the exact final privilege boundary is not well described in public records.

Conditions required:

Exploit reliability is high enough to survive real endpoint diversity
Target mitigations do not kill the process first

Where this breaks in practice:

Public text is sparse; absence of a documented sandbox-escape chain limits confidence in full host compromise from this CVE alone
EDR behavior analytics may catch child-process launch, memory tampering, or post-exploitation tooling

Detection/coverage: EDR should have the best chance here: browser child process anomalies, unusual command execution from chrome.exe, or suspicious follow-on network connections.

STEP 04

Establish post-exploitation foothold

The attacker still needs to turn browser code execution into durable business impact such as credential theft, session hijack, payload staging, or lateral movement. That is no longer about the CVE alone; it depends on endpoint controls and user privileges.

Conditions required:

Attacker gets useful execution context
Endpoint controls fail to contain follow-on actions

Where this breaks in practice:

Least privilege, ASR rules, EDR, and application control can contain the blast radius
A standard-user workstation is a worse foothold than an internet-facing server

Detection/coverage: High-quality EDR, proxy logs, and identity telemetry usually catch the follow-on activity better than the original browser exploit.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found in the authoritative record set I checked. The CVE JSON's SSVC data says `Exploitation: none` and `Automatable: no`. Sources: CVE JSON, CIRCL entry
KEV status	Not KEV-listed as of this assessment. I found no entry in the CISA KEV catalog and no indication in the KEV JSON feed.
PoC availability	No credible public PoC located during this assessment; Chromium issue details remain restricted. That does not mean exploitation is impossible, only that copy-paste weaponization is not obviously available yet. Sources: Chromium issue 501403820, Chrome release note
EPSS	0.0008 from the user-provided intel, which is extremely low. FIRST documents EPSS as a 30-day exploitation probability, not an impact score. Sources: FIRST EPSS overview, FIRST EPSS API docs
CVSS vector meaning	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` means remote reachability with no auth required, but user interaction is mandatory. That `UI:R` is the main real-world brake here. Source: CVE JSON
Affected versions	Google Chrome on Windows prior to 149.0.7827.53. Public records do not describe impact to macOS/Linux for this CVE. Sources: CVE JSON, Chrome stable update
Fixed version	149.0.7827.53 or later on Windows. Google promoted Chrome 149 stable on 2026-06-02. Source: Chrome stable update
Researcher / reporter	Reported by Google on 2026-04-10 according to the vendor release note. This was not credited to an external researcher in the public note. Source: Chrome stable update
Disclosure timeline	Stable fix shipped 2026-06-02; CVE published 2026-06-04; CVE JSON updated 2026-06-06. Sources: Chrome stable update, CVE JSON
Scanning / exposure data	Inference: Shodan/Censys/FOFA-style internet census is mostly irrelevant here because Chrome desktop is client software, not a bannered internet-facing service. Your exposure question is fleet version distribution, not open-port census. Supporting context: Censys CVE risks docs

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.7/10)

The decisive factor is mandatory user interaction on a client endpoint, not unauthenticated exposure of a server or appliance. This is a real browser memory-corruption bug, but the absence of KEV/activity evidence and the Windows-only, lure-based attack path keep it out of the top patch queue.

HIGH Affected version and fix version

HIGH No KEV listing at time of assessment

MEDIUM Reassessed severity based on public exploitability signals

LOW Exact post-exploitation boundary from this bug alone because public bug details are restricted

Why this verdict

Down from vendor 8.8 because UI:R matters: the attacker must win a phishing/malvertising/web-lure step before the bug is even reachable.
Windows-only scope narrows population: this is not a cross-platform Chrome emergency; mixed-platform fleets have a smaller exposed subset.
No active exploitation evidence: not in KEV, SSVC says Exploitation: none, and the user-provided EPSS is extremely low.
Chromium called it Medium internally: when the CNA that knows the code best labels the underlying bug medium, I treat that as meaningful downward pressure unless external exploitation says otherwise.
Endpoint blast radius is controllable: EDR, application control, and least privilege materially limit what a browser foothold can do compared with exposed server software.

Why not higher?

If this were KEV-listed, paired with a public exploit chain, or clearly documented as reliable full host compromise with no extra escape work, it would move up fast. Likewise, if the vulnerable surface were unauthenticated and internet-reachable without user clicks, this would not stay medium.

Why not lower?

It is still a browser memory-corruption flaw in one of the most common endpoint applications in the enterprise. Chrome is a massive exposure surface, and if the exploit matures, attackers can target users at scale through ordinary web traffic rather than needing prior access.

05 · Compensating Control

What to do — in priority order.

Enforce rapid Chrome auto-update — Make sure Windows endpoints are actually pulling Chrome 149.0.7827.53 or later via enterprise update policy and management tooling. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window, but in practice browsers should not sit unpatched anywhere near that long because update automation is cheap and high leverage.
Tighten web content filtering — Block newly registered domains, malicious ad categories, and known phishing delivery infrastructure to reduce the odds that users ever render exploit pages. This is your best temporary exposure reducer while update laggards are being cleaned up; deploy as standard control hardening, not as an emergency-only measure.
Hunt for outdated Chrome on Windows — Prioritize unmanaged laptops, VDI gold images, kiosk systems, and exception-based update rings. Those pockets are where browser CVEs survive long enough to become useful to attackers, even when the main fleet auto-updates.
Watch for browser-to-payload transitions — Alert on unusual child processes from chrome.exe, suspicious downloads, script interpreters, and credential-store access immediately following browser activity. This does not prevent the bug, but it shortens dwell time if someone does land code execution.

What doesn't work

Perimeter vuln scanning doesn't help much here, because Chrome desktop is not an exposed network service you can census from outside.
WAFs don't meaningfully protect endpoints against users browsing attacker-controlled internet content.
MFA is still good hygiene, but it does not stop exploitation of a local browser memory corruption bug.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint or through your RMM/EDR live-response shell. Invoke with powershell.exe -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-11117.ps1; standard user rights are usually enough to read file versions, admin is not required.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-chrome-cve-2026-11117.ps1

# Purpose: Determine whether Google Chrome on Windows is vulnerable to CVE-2026-11117

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-ChromePaths {
    $paths = @(
        "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
        "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
        "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
    )

    $regPaths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'
    )

    foreach ($rk in $regPaths) {
        try {
            $item = Get-ItemProperty -Path $rk -ErrorAction Stop
            if ($item.'(default)') { $paths += $item.'(default)' }
            if ($item.Path) { $paths += (Join-Path $item.Path 'chrome.exe') }
        } catch {
            # Ignore missing registry keys

        }
    }

    $paths | Where-Object { $_ -and (Test-Path $_) } | Select-Object -Unique
}

function To-Version([string]$s) {
    try {
        return [version]$s
    } catch {
        return $null
    }
}

$fixedVersion = To-Version '149.0.7827.53'
if (-not $fixedVersion) {
    Write-Output 'UNKNOWN - could not parse fixed version'
    exit 2
}

$chromePaths = Get-ChromePaths
if (-not $chromePaths -or $chromePaths.Count -eq 0) {
    Write-Output 'UNKNOWN - chrome.exe not found'
    exit 2
}

$results = @()
foreach ($path in $chromePaths) {
    try {
        $item = Get-Item $path -ErrorAction Stop
        $verString = $item.VersionInfo.ProductVersion
        if (-not $verString) { $verString = $item.VersionInfo.FileVersion }
        if ($verString) {
            $verString = ($verString -split '\s+')[0]
        }
        $ver = To-Version $verString
        $results += [pscustomobject]@{
            Path = $path
            VersionString = $verString
            Version = $ver
        }
    } catch {
        $results += [pscustomobject]@{
            Path = $path
            VersionString = $null
            Version = $null
        }
    }
}

$valid = $results | Where-Object { $_.Version -ne $null }
if (-not $valid -or $valid.Count -eq 0) {
    Write-Output 'UNKNOWN - unable to read Chrome version'
    $results | ForEach-Object { Write-Output ("Path={0}; Version={1}" -f $_.Path, $_.VersionString) }
    exit 2
}

# If any installed Chrome is below fixed version, call it vulnerable.

$vuln = $valid | Where-Object { $_.Version -lt $fixedVersion }

if ($vuln) {
    Write-Output 'VULNERABLE'
    $vuln | ForEach-Object { Write-Output ("Path={0}; Version={1}; Fixed={2}" -f $_.Path, $_.VersionString, $fixedVersion) }
    exit 1
} else {
    Write-Output 'PATCHED'
    $valid | ForEach-Object { Write-Output ("Path={0}; Version={1}; Fixed={2}" -f $_.Path, $_.VersionString, $fixedVersion) }
    exit 0
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull a version inventory for Chrome on Windows, identify anything below 149.0.7827.53, and clean up update laggards through normal endpoint operations. Because this lands at MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use the noisgate remediation SLA as the outer bound, but in practice browsers should be updated far sooner via auto-update enforcement, with unmanaged and exception-based Windows systems checked first.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.