Uninitialized Use in Audio in Google Chrome prior to 149

CVE-2026-11141 is an *uninitialized use* bug in Chrome's Audio component. Affected versions are Chrome prior to 149.0.7827.53 on Linux and prior to 149.0.7827.53/54 on Windows and macOS, as reflected in Google's Chrome 149 stable release. The practical effect is memory disclosure: after an attacker already has code execution or equivalent control inside the renderer process, a crafted HTML page can steer the Audio path into exposing stale process memory.

Google's MEDIUM label is fair in lab terms but still a little generous for enterprise triage. The decisive friction is the prerequisite: *the renderer must already be compromised first*. That makes this a chain-enabler, not an initial-access bug, and there is no public evidence here of in-the-wild abuse, KEV inclusion, or a public exploit chain built around this CVE alone.

Why this verdict

• Major prerequisite downgrade: the attacker must already have compromised the renderer process, which implies a prior exploit stage and sharply narrows the reachable population.
• Blast radius is limited: this CVE is a confidentiality leak primitive, not standalone RCE and not a sandbox escape.
• Threat intel is cold: no KEV entry, no public exploitation evidence, and EPSS is extremely low at 0.00035.
• Exposure is broad but shallow: Chrome is everywhere, but this specific bug is not directly reachable as an initial-access bug across your 10,000-host fleet.

Why not higher?

If this were a direct drive-by renderer compromise or a sandbox escape, it would land much higher. But the exploit chain here starts *after* the attacker already owns the renderer, and the described impact is memory disclosure rather than code execution or privilege gain.

Why not lower?

It still lives in a massively deployed browser and can strengthen a real exploit chain. Browser memory-leak primitives matter to attackers because they can improve reliability of higher-value bugs, so this is not something to ignore entirely.

1. Enforce Chrome autoupdate — Confirm the fleet is converging on 149.0.7827.53/54 or later through your normal browser update channel. For a LOW verdict there is no SLA beyond backlog hygiene, but because this is a browser bug on a ubiquitous client, close the gap during the next routine desktop maintenance cycle rather than letting stragglers sit indefinitely.
2. Prioritize high-risk user groups — If you cannot verify universal update coverage quickly, focus first on executives, admins, developers, and users who browse untrusted sites. Even a low-severity chain component is more relevant on endpoints likely to face targeted browser exploitation.
3. Monitor browser version drift — Use Chrome Enterprise reporting or endpoint inventory to identify devices still below 149.0.7827.53. For a LOW issue, treat this as hygiene: catch stale versions in your next compliance sweep and roll them forward.
4. Harden the browsing tier — Keep browser isolation, exploit protection, web filtering, and extension governance in place. These controls matter because the real danger is the *parent exploit chain* that would need to compromise the renderer first.

Run this on the target Windows endpoint or through your endpoint management tool with standard local read access; admin rights are not required for version checks. Example: powershell -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-11141.ps1. The script checks common Chrome install paths and registry entries, compares the installed version to 149.0.7827.53, and prints VULNERABLE, PATCHED, or UNKNOWN.

# check-chrome-cve-2026-11141.ps1

# Purpose: Detect whether Google Chrome on Windows is below 149.0.7827.53

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Get-ChromeVersion {
    $candidates = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'
    )

    foreach ($key in $candidates) {
        $item = Get-ItemProperty -Path $key
        if ($item -and $item.'(default)') {
            $path = $item.'(default)'
            if (Test-Path $path) {
                $ver = (Get-Item $path).VersionInfo.ProductVersion
                if ($ver) { return $ver }
            }
        }
    }

    $paths = @(
        "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
        "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
        "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
    )

    foreach ($path in $paths) {
        if (Test-Path $path) {
            $ver = (Get-Item $path).VersionInfo.ProductVersion
            if ($ver) { return $ver }
        }
    }

    return $null
}

function Compare-Version($a, $b) {
    try {
        $va = [version]($a -replace '[^0-9\.]','')
        $vb = [version]($b -replace '[^0-9\.]','')
        return $va.CompareTo($vb)
    } catch {
        return $null
    }
}

$fixed = '149.0.7827.53'
$installed = Get-ChromeVersion

if (-not $installed) {
    Write-Output 'UNKNOWN: Google Chrome not found or version unreadable'
    exit 2
}

$result = Compare-Version $installed $fixed
if ($null -eq $result) {
    Write-Output "UNKNOWN: Unable to compare installed version $installed"
    exit 2
}

if ($result -lt 0) {
    Write-Output "VULNERABLE: Installed Chrome version $installed is below fixed version $fixed"
    exit 1
} else {
    Write-Output "PATCHED: Installed Chrome version $installed is at or above fixed version $fixed"
    exit 0
}

Sources

1. Google Chrome Releases - Stable Channel Update for Desktop (Chrome 149)
2. Chromium issue 501667839
3. GovCERT.HK alert - Multiple Vulnerabilities in Google Chrome
4. Canadian Centre for Cyber Security - Google Chrome security advisory AV26-544
5. CISA Known Exploited Vulnerabilities Catalog
6. FIRST EPSS
7. Chrome Enterprise - View Chrome version details