CVE-2026-11143 · Out of bounds read in Extensions in Google Chrome on Linux prior to 149.0.7827.53 allowed an attacker who convinced a user to install a mali

01 · The Real Story

This is less a drive-by break-in than a poisoned badge handed to someone at the front desk

CVE-2026-11143 is an out-of-bounds read in Chrome Extensions on Linux only, affecting Google Chrome versions prior to 149.0.7827.53. The attacker does not get a one-click web exploit here; they first have to convince a user to install a malicious extension, then use that crafted extension to read potentially sensitive data from the browser process memory.

Google labeled it MEDIUM 6.5, and technically that is defensible in a vacuum because the confidentiality impact is real. In enterprise reality, though, the exploit chain is heavily throttled by preconditions: Linux-only scope, user interaction, extension-install social engineering, and no evidence of in-the-wild abuse or internet-scale exposure. That combination pushes this down into backlog-hygiene territory.

"This is a Linux-only, user-assisted malicious-extension bug—not a fleet-wide emergency"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a malicious extension

The attacker needs a weaponized Chrome extension and a way to get it onto the target Linux endpoint. There is no indication of a server-side trigger or passive browsing exploit; the extension is the delivery vehicle.

Conditions required:

Target runs Google Chrome on Linux
Attacker can publish, sideload, or otherwise deliver a malicious extension
Enterprise policy does not fully block unapproved extensions

Where this breaks in practice:

Most mature fleets restrict extension installs through browser policy or managed stores
Linux endpoints are usually a minority slice of enterprise desktop populations
This is not reachable from unauthenticated internet scanning

Detection/coverage: Commodity vuln scanners will mostly flag by version only; they generally do not validate whether risky extension installation paths are actually allowed.

STEP 02

Convince the user to install it

User interaction is mandatory. The attacker must socially engineer the victim into approving the extension, which is a much narrower and noisier path than a simple link-click or crafted page visit.

Conditions required:

A user is willing and able to install the extension
Browser or enterprise controls do not block the extension at install time

Where this breaks in practice:

Admin-enforced allowlists and extension blocklists break the chain
Security-aware users and endpoint hardening reduce conversion rates
MFA, EDR, and email/web filtering often disrupt the preceding social-engineering stage

Detection/coverage: Look for extension install events in Chrome enterprise reporting, EDR telemetry, or package/profile changes on managed Linux workstations.

STEP 03

Trigger the out-of-bounds read

Once installed, the crafted extension exercises the vulnerable Extensions code path and reads beyond intended bounds in process memory. The described impact is information disclosure, not code execution, sandbox escape, or integrity compromise.

Conditions required:

Vulnerable Chrome version is present
The malicious extension can execute in the affected browser context

Where this breaks in practice:

Browser memory-safety bugs can be unstable and version-sensitive
No public weaponized PoC was found in the reviewed sources

Detection/coverage: Signature-level detection is weak. Coverage is mostly indirect: suspicious extension behavior, abnormal browser crashes, or post-install data access patterns.

STEP 04

Harvest exposed process memory

The attacker attempts to extract sensitive material resident in the Chrome process, such as page content, tokens, or other browser-resident data. Actual value depends on what is present in memory at the time and what the extension can exfiltrate.

Conditions required:

Useful secrets are present in the affected process memory
The extension has a path to send data out

Where this breaks in practice:

Impact is opportunistic rather than guaranteed; memory contents vary by session
No integrity or availability impact is described
Enterprise egress controls and extension permission review can limit exfiltration

Detection/coverage: Monitor for unusual network activity from the browser after extension installation and for extension IDs outside your approved inventory.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No evidence of active exploitation in the reviewed sources; CISA ADP SSVC on the CVE record shows Exploitation: none.
PoC availability	No public PoC or weaponized exploit repo was found in the reviewed sources. The referenced Chromium issue is present, but public exploit material was not identified.
EPSS	0.00008 (~0.008% 30-day exploit probability) from the user-provided intel; that is effectively floor-level risk. Percentile was not available in the reviewed source set.
KEV status	Not listed in CISA's Known Exploited Vulnerabilities catalog in the reviewed sources.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N` — the big limiter is UI:R. High confidentiality on paper, but only after the user installs attacker code.
Affected versions	Google Chrome on Linux prior to 149.0.7827.53.
Fixed version	149.0.7827.53 for Linux. Windows/macOS patch numbers in the same bulletin are not the scope of this specific CVE.
Exposure / scanning reality	There is no meaningful Shodan/Censys/GreyNoise style exposure signal here because this is a client-side browser extension bug, not an internet-facing service. Fleet inventory and browser-management telemetry matter more than internet scanning.
Disclosure timeline	Published 2026-06-04; Chrome stable bulletin for Desktop 149 was published the same week.
Reporter	Reported by Google per the Chrome stable release bulletin.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.2/10)

The decisive factor is the attacker position requirement: this bug is only useful after the attacker convinces a user to install a malicious extension on a Linux Chrome endpoint. That is a narrow, high-friction path with limited enterprise reach and no evidence of active exploitation to offset the friction.

HIGH Attack-precondition assessment: malicious extension install + Linux-only scope

HIGH Exploit prevalence assessment: no KEV listing and no public PoC found in reviewed sources

MEDIUM Impact assessment: process-memory disclosure could expose sensitive data, but practical yield varies

Why this verdict

Down from vendor 6.5 because attacker position is worse than CVSS suggests: this is not an unauthenticated remote web hit; it requires getting attacker-controlled extension code installed by the user first.
Down again for population reach: the vulnerable population is limited to Linux Chrome endpoints, and only the subset where extension governance is weak enough to permit malicious installs.
Down again for real-world signal: no KEV listing, no active exploitation evidence, no public PoC found, and no internet-exposed service to mass-scan or mass-exploit.

Why not higher?

A higher rating would need an amplifier such as active exploitation, a one-click browser trigger, broad cross-platform exposure, or a direct path to code execution or sandbox escape. None of those are present in the reviewed evidence. The chain starts with a social-engineering win plus extension install, which is already a prior-control failure.

Why not lower?

It is not IGNORE because the confidentiality impact is legitimate: the bug can expose process memory, and malicious extensions are a real enterprise abuse path. If you allow broad extension installation on Linux workstations, this becomes more than theoretical, just not urgent enough to outrank remotely reachable or exploited bugs.

05 · Compensating Control

What to do — in priority order.

Enforce an extension allowlist — Restrict Chrome extensions to approved IDs through enterprise policy so the exploit chain dies at the installation step. For a LOW verdict there is no SLA; treat this as backlog hygiene and implement during normal browser-policy maintenance.
Block developer-mode and sideloading paths — If your Linux fleet permits unpacked or sideloaded extensions, close that gap so social engineering has fewer viable routes. For a LOW verdict there is no SLA; fold this into your standard workstation hardening cycle.
Alert on new extension installs — Use Chrome enterprise reporting, EDR, or local telemetry to surface extension additions, especially on Linux admin and engineering workstations. For a LOW verdict there is no SLA; implement as part of routine detection engineering.
Prioritize high-value Linux users — Focus review on developers, admins, and browser-heavy privileged users because their session memory is more likely to contain valuable tokens or internal app data. For a LOW verdict there is no SLA; target these cohorts in your next browser hygiene pass.

What doesn't work

A WAF does not help; this is not an attack against your server perimeter.
Basic network vulnerability scanning does not help much; version checks may identify old Chrome builds, but scanners cannot tell whether extension-install controls prevent exploitation.
Relying on user awareness alone is weak; the exploit chain explicitly banks on the user approving a malicious extension.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host or through your fleet management agent. Invoke it as bash check-chrome-cve-2026-11143.sh with no special privileges required; it checks common Google Chrome Linux binaries and prints VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-chrome-cve-2026-11143.sh
# Purpose: Determine whether Google Chrome on Linux is vulnerable to CVE-2026-11143
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

FIXED_VERSION="149.0.7827.53"
CANDIDATES=(
  "/usr/bin/google-chrome"
  "/usr/bin/google-chrome-stable"
  "/opt/google/chrome/google-chrome"
)

version_lt() {
  # returns 0 if $1 < $2 using version sort
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

extract_version() {
  local bin="$1"
  local out ver
  out="$($bin --version 2>/dev/null)" || return 1
  ver="$(printf '%s' "$out" | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1)"
  [ -n "$ver" ] || return 1
  printf '%s' "$ver"
  return 0
}

FOUND_BIN=""
FOUND_VER=""

for bin in "${CANDIDATES[@]}"; do
  if [ -x "$bin" ]; then
    ver="$(extract_version "$bin")" || continue
    FOUND_BIN="$bin"
    FOUND_VER="$ver"
    break
  fi
done

if [ -z "$FOUND_BIN" ] || [ -z "$FOUND_VER" ]; then
  echo "UNKNOWN: Google Chrome for Linux not found in expected locations"
  exit 2
fi

if version_lt "$FOUND_VER" "$FIXED_VERSION"; then
  echo "VULNERABLE: $FOUND_BIN version $FOUND_VER is older than fixed version $FIXED_VERSION"
  exit 1
else
  echo "PATCHED: $FOUND_BIN version $FOUND_VER is at or newer than fixed version $FIXED_VERSION"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify Linux Chrome endpoints still below 149.0.7827.53, then check whether those users can install unapproved extensions. Because this is LOW, there is no noisgate mitigation SLA and no noisgate remediation SLA beyond treating it as backlog hygiene; roll the browser update and any extension-policy cleanup into your normal workstation maintenance cycle, document the Linux-only and malicious-extension prerequisite, and spend this week’s urgent patch budget on remotely reachable or exploited issues instead.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.