← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11126 · CWE-20 · Disclosed 2026-06-04

Inappropriate implementation in DevTools in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a peephole cut into the browser wall, but only after the attacker talks the user into carrying the knife inside

CVE-2026-11126 is a DevTools input-validation flaw in Google Chrome that affects versions before 149.0.7827.53. The published CNA text says an attacker must convince a user to install a malicious Chrome extension, after which the flaw can be used to leak cross-origin data via a crafted extension. Fixed desktop builds are 149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows and macOS.

Reality is lower urgency than the word 'cross-origin' makes it sound. This is not a drive-by web exploit, not an RCE, not a sandbox escape, and not an unauthenticated internet-facing server bug; it is a client-side privacy boundary failure gated by malicious extension install. In a managed enterprise that already blocks or allowlists extensions, the reachable population collapses hard, which is why this lands in LOW despite the browser-wide name recognition.

"ASSESSED AT LOW: this needs a malicious extension install first, so it is a narrow post-click browser-bound leak"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the extension

The attacker first needs a malicious Chrome extension installed in the victim profile. In practice that means Chrome Web Store social engineering, sideloading, or abusing an environment where users can freely add extensions. The vuln does nothing until that prior foothold exists.
Conditions required:
  • User can install extensions or attacker can force/sideload one
  • Victim accepts the install prompt or enterprise policy allows it
  • Target is running Chrome earlier than 149.0.7827.53
Where this breaks in practice:
  • Many enterprises use ExtensionInstallAllowlist or blocklists
  • Managed Chrome can force-install only approved extensions and prevent user-added ones
  • Install-time permission warnings reduce casual conversion
Detection/coverage: Good policy-side coverage: Chrome Enterprise extension inventories, admin reports, and EDR/browser telemetry can usually spot new or unsigned extension installs. Network scanners do not help because this is not an exposed service.
STEP 02

Use DevTools-adjacent capability

Once resident, the extension uses crafted extension logic against the affected DevTools behavior to cross a same-origin boundary and access data it should not have. The closest weaponized building blocks are Chrome extension APIs such as chrome.debugger and DevTools-related extension surfaces, which are explicitly powerful and permission-gated.
Conditions required:
  • Extension has the needed permissions and code path
  • Victim uses the compromised browser profile
  • Relevant target tabs/data are present in that profile
Where this breaks in practice:
  • Extensions with powerful permissions are noisier and more suspicious
  • Some permissions trigger user-visible warnings
  • A lot of enterprise users never install debugging-oriented extensions
Detection/coverage: Moderate. You can hunt for extensions requesting debugger, broad host permissions, or unusual extension network egress, but there is no simple Nessus/Qualys-style signature for 'this attack chain is executing now'.
STEP 03

Pull cross-origin data

The actual impact published for this CVE is cross-origin data leakage, meaning the attacker steals data from pages or contexts that should stay isolated. That is meaningful for browser confidentiality, but it is still browser-profile scoped impact rather than host takeover or domain-wide compromise.
Conditions required:
  • Sensitive web sessions or data exist in the victim browser
  • The extension can reach the necessary targets during user activity
Where this breaks in practice:
  • No indication of code execution outside the browser sandbox
  • No evidence that the flaw bypasses enterprise identity controls by itself
  • Blast radius is usually one user profile at a time
Detection/coverage: Low direct signature quality. Detection is mostly behavioral: suspicious extension traffic, odd browser process egress, or retroactive extension inventory review.
STEP 04

Exfiltrate over normal browser traffic

The stolen data can be exfiltrated using ordinary HTTPS requests from the extension or background service worker. From a defender perspective, that makes it blend into standard browser traffic unless you already monitor extension inventories, browser destinations, or sanctioned egress paths.
Conditions required:
  • Extension can reach attacker-controlled infrastructure
  • Outbound browser traffic is not tightly restricted
Where this breaks in practice:
  • Secure web gateways and DNS filtering can still catch known bad destinations
  • Tenant-aware CASB/SWG controls may flag abnormal destinations or uploads
Detection/coverage: Detection quality depends on your browser and egress telemetry. DNS/SWG logging is often the most practical signal once extension inventory is known.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found in the sources reviewed; not listed in CISA KEV.
Proof-of-concept availabilityNo public PoC located in targeted checks of the disclosed sources and obvious GitHub-style discovery paths; confidence is medium, because Chrome bug details are often restricted after patch release.
EPSS0.00016 from supplied intel. Percentile was not provided in the supplied dataset, but the score itself is effectively near-floor.
KEV statusNot KEV-listed as of this assessment.
Vendor severity / baselineChromium lists this as security severity: Medium, but there is no vendor CVSS score published for this CVE, so this is = ASSESSED AT LOW rather than an upgrade/downgrade call.
CVSS vector reality-checkNo authoritative CVSS vector published. If you model it from the advisory text, the chain is shaped by UI:R and a stronger-than-usual prerequisite: malicious extension install first, which is materially narrower than a normal web-only browser bug.
Affected versionsGoogle Chrome before 149.0.7827.53; desktop fixes shipped as 149.0.7827.53 (Linux) and 149.0.7827.53/54 (Windows/macOS).
Disclosure and reportingPublished 2026-06-04 in the CVE record; Chrome release post dated 2026-06-02. Google lists the bug as reported by Google on 2026-04-10.
Exposure / scanning realityNot internet-addressable in the way Shodan/Censys/GreyNoise track server flaws. Exposure is best measured by Chrome fleet versioning plus extension policy posture, not by perimeter scans.
Research contextChrome's own docs show the chrome.debugger API can attach to tabs and instrument network/DOM behavior, and prior academic work has shown how extension access to DevTools-style capability can be abused for data exposure. That does not prove exploitation here, but it explains why a malicious extension prerequisite matters.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.2/10)

The decisive factor is the attacker position requirement: this CVE only matters after the attacker gets a malicious extension installed in the victim browser, which is already a major control failure and sharply narrows real-world reach. The impact is also data leakage within the browser context, not host takeover, so the blast radius stays limited compared with the Chrome bugs that actually drive emergency patching.

HIGH Prerequisite analysis: malicious extension install is the gating friction
MEDIUM Exploit availability assessment: public PoC and field use appear absent, but Chrome bug details remain partially restricted
HIGH Version/fix metadata from Chrome release sources

Why this verdict

  • No vendor CVSS exists, so start from the published behavior: Google describes a Medium Chromium-severity client-side data leak, not RCE or sandbox escape.
  • Requires malicious extension install first: that implies prior social engineering or policy failure. In enterprise terms, this is post-initial-compromise of the browser trust model, not an internet-reachable first-hop exploit.
  • Reachable population is much smaller than Chrome's install base: organizations enforcing extension allowlists, force-installs, or managed browser policy remove most of the attack surface before the CVE matters.
  • Impact is confidentiality loss in-browser, not system compromise: the published effect is cross-origin data leakage, which is real but materially less urgent than code execution or container breakout.
  • Threat telemetry is quiet: no KEV, no public exploitation evidence in reviewed sources, and the supplied EPSS 0.00016 is extremely low.

Why not higher?

A higher rating would require either web-only reachability, active exploitation, or host-level consequences. This CVE has none of those in the published record: the attacker needs a malicious extension foothold first, and the stated impact is limited to cross-origin data leakage. That combination is too narrow for MEDIUM-or-higher emergency treatment across a 10,000-host fleet.

Why not lower?

I am not calling this IGNORE because it still represents a real browser security-boundary failure in a massively deployed client, and unmanaged or lightly managed Chrome populations do exist. If your estate permits broad user-installed extensions, this bug is a useful amplifier for that preexisting weakness, so it belongs in the backlog rather than the trash bin.

05 · Compensating Control

What to do — in priority order.

  1. Enforce an extension allowlist — Use Chrome Enterprise ExtensionInstallAllowlist / ExtensionSettings so only approved extensions can be installed. This directly kills the hardest prerequisite in the chain; for a LOW verdict there is no mitigation SLA (treat as backlog hygiene), but this is still the best control if your extension posture is loose.
  2. Hunt for high-risk extension permissions — Review installed extensions for broad host access, debugger, and uncommon DevTools-related behaviors, then remove anything unapproved. Do this through Chrome Admin reports or local inventory; for LOW, there is no mitigation SLA, so fold it into your normal browser governance cycle.
  3. Inventory unmanaged Chrome — Find browsers not enrolled in Chrome Enterprise Core, GPO, MDM, or equivalent management, because those are the endpoints where user-installed malicious extensions are most likely. There is no mitigation SLA for LOW, but this is the population where the CVE is actually relevant.
  4. Constrain browser egress where practical — Use SWG/DNS controls to make extension-driven exfiltration louder by restricting newly seen or low-reputation destinations. This will not prevent the boundary failure itself, but it adds friction to step 4 of the chain; again, no mitigation SLA applies at LOW.
What doesn't work
  • A WAF does not help because the exploit path is inside the client browser after extension install, not against your server.
  • Traditional perimeter vulnerability scanning does not help because there is no internet-facing service to probe; this is a local browser-version-and-policy problem.
  • Relying on user training alone is weak here; the prerequisite is literally getting a user to install an extension, so you need technical policy controls, not just awareness slides.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your EDR/remote execution layer. Invoke it with python3 check_chrome_cve_2026_11126.py; it needs no administrator privileges, but it does need permission to execute the local Chrome binary or read standard install paths. It reports VULNERABLE, PATCHED, or UNKNOWN based on whether the installed Google Chrome version is earlier than 149.0.7827.53.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# check_chrome_cve_2026_11126.py
# Determine whether locally installed Google Chrome is vulnerable to CVE-2026-11126.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys
from typing import Optional, Tuple

FIXED = (149, 0, 7827, 53)


def run_version(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        out = (p.stdout or "") + "\n" + (p.stderr or "")
        return out.strip()
    except Exception:
        return ""


def parse_version(text: str) -> Optional[Tuple[int, int, int, int]]:
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def find_chrome() -> Optional[str]:
    system = platform.system().lower()

    if system == 'windows':
        candidates = [
            os.path.join(os.environ.get('ProgramFiles', r'C:\Program Files'), 'Google', 'Chrome', 'Application', 'chrome.exe'),
            os.path.join(os.environ.get('ProgramFiles(x86)', r'C:\Program Files (x86)'), 'Google', 'Chrome', 'Application', 'chrome.exe'),
            os.path.join(os.environ.get('LocalAppData', ''), 'Google', 'Chrome', 'Application', 'chrome.exe'),
        ]
        for c in candidates:
            if c and os.path.exists(c):
                return c
        return None

    if system == 'darwin':
        candidates = [
            '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
            os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),
        ]
        for c in candidates:
            if os.path.exists(c):
                return c
        return None

    # Linux / other Unix-like
    for name in ['google-chrome', 'google-chrome-stable', 'chrome']:
        path = shutil.which(name)
        if path:
            return path
    return None


def get_version(path: str) -> Optional[Tuple[int, int, int, int]]:
    out = run_version([path, '--version'])
    return parse_version(out)


def main():
    chrome = find_chrome()
    if not chrome:
        print('UNKNOWN: Google Chrome executable not found')
        sys.exit(2)

    version = get_version(chrome)
    if not version:
        print(f'UNKNOWN: Unable to determine version from {chrome}')
        sys.exit(2)

    if version < FIXED:
        print(f'VULNERABLE: Google Chrome {".".join(map(str, version))} < 149.0.7827.53 ({chrome})')
        sys.exit(1)
    else:
        print(f'PATCHED: Google Chrome {".".join(map(str, version))} >= 149.0.7827.53 ({chrome})')
        sys.exit(0)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not spin up an emergency fleetwide campaign for this one. First confirm your managed Chrome populations are naturally rolling to 149.0.7827.53/54 or later, then check whether you still allow broad user-installed extensions; for a LOW verdict there is no noisgate mitigation SLA — treat extension-policy tightening as backlog hygiene. Patch the browser in the normal maintenance stream and complete version remediation within the noisgate remediation SLA of ≤365 days; if you already enforce an extension allowlist, document that control and move on.

Sources

  1. Chrome Releases: Stable Channel Update for Desktop
  2. CIRCL Vulnerability-Lookup search result containing CVE-2026-11126 CNA text
  3. Chromium issue tracker entry 501528031
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS project
  6. Chrome Enterprise policy: Extension Install Allowlist
  7. Chrome for Developers: chrome.debugger API
  8. Chrome for Developers: Permission warning guidelines
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.