← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11149 · CWE-20 · Disclosed 2026-06-04

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is the deadbolt behind a door the attacker already has to kick open first

CVE-2026-11149 is an *Extensions* privilege-escalation bug in Google Chrome caused by insufficient validation of untrusted input. It affects Chrome versions before 149.0.7827.53 on Linux and before 149.0.7827.53/54 on Windows and macOS, and the published description is explicit about the prerequisite: the attacker must have *already compromised the renderer process* and then use a crafted HTML page to cross into a more privileged context.

The vendor-side 7.5/HIGH score overstates what defenders should patch against first on a 10,000-host estate. In the real world this is *not* unauthenticated remote compromise of Chrome from scratch; it is a second-stage browser sandbox/privilege-escalation component that only matters after a separate renderer exploit succeeds, and there is no KEV entry, no public exploitation evidence, and extremely low EPSS to offset that friction.

"This is a chain-finisher, not an entry bug: serious in a Chrome exploit chain, mediocre by itself."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the user on attacker-controlled content

The attacker needs a victim to render malicious web content, because the published description says exploitation is driven through a crafted HTML page. Weaponized tool at this stage is typically a phishing link, malvertising redirect, or compromised site hosting the page; there is no public exploit kit reference tied to this CVE as of 2026-06-05.
Conditions required:
  • Victim uses vulnerable Chrome build
  • Victim can be induced to load attacker-controlled HTML
  • Browser updates have not already moved the host to 149.0.7827.53/54 or later
Where this breaks in practice:
  • User interaction is required
  • Modern URL filtering, browser isolation, and safe browsing controls can disrupt delivery
  • Auto-update heavily shrinks dwell time for browser-only flaws
Detection/coverage: Web proxy, SWG, and browser telemetry may catch the lure or redirect, but scanners do not directly validate this attack stage.
STEP 02

Compromise the renderer with a separate bug

This CVE does *not* provide initial code execution in Chrome. The attacker first needs a distinct renderer compromise primitive such as a memory corruption or type confusion bug in a reachable renderer component; this is the real gating requirement and effectively turns CVE-2026-11149 into a chain dependency rather than a standalone internet-facing exploit.
Conditions required:
  • A separate renderer exploit exists and works against the same victim build
  • Exploit reliability is high enough to survive modern Chrome hardening
  • The exploit chain is tuned to the target OS and channel
Where this breaks in practice:
  • This is high attacker cost and specialist tradecraft
  • Chrome sandboxing, process isolation, CFG, CET, PAC, and crash-hardening reduce reliability
  • Without a renderer bug, CVE-2026-11149 is inert
Detection/coverage: EDR/browser crash telemetry may show renderer crashes or child-process anomalies, but commodity vuln scanners cannot see this prerequisite.
STEP 03

Use CVE-2026-11149 to escape into a higher-privilege Extensions context

Once renderer execution is achieved, the attacker abuses insufficient validation in Extensions via crafted HTML to perform privilege escalation. Weaponized tool here would be a custom chain module built around Chromium issue 501739206; Google kept bug details restricted, which is normal for browser escape-class issues and means defenders should assume chaining value even without a public PoC.
Conditions required:
  • Renderer process is already attacker-controlled
  • Target is still on a vulnerable build
  • Exploit chain can reach the relevant Extensions code path
Where this breaks in practice:
  • This bug appears to be useful mainly *after* prior compromise
  • The affected code path is narrower than generic browser navigation or network parsing bugs
  • No public PoC lowers copycat risk
Detection/coverage: Little reliable network-side coverage. Detection is mostly behavioral: browser child-process anomalies, suspicious extension API usage, or crash/restart patterns.
STEP 04

Monetize the browser-side privilege gain

The likely payoff is a stronger browser foothold: broader access to browser/extension data or a better bridge to follow-on actions. That is meaningful, but it is still usually *one hop in a chain*, not guaranteed OS takeover by itself.
Conditions required:
  • Successful chain through steps 1-3
  • Target data of value is present in the browser context
  • Downstream defenses do not block post-exploitation actions
Where this breaks in practice:
  • Impact is bounded by browser architecture and enterprise controls
  • OS-level privilege escalation still requires more work if the attacker wants full host takeover
  • Short browser patch cycles reduce window for stable operational use
Detection/coverage: EDR, browser telemetry, and identity/session monitoring are more useful here than vuln scanning.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found as of 2026-06-05; CISA KEV does not list this CVE.
KEV statusNot KEV-listed. That removes the strongest urgency amplifier for enterprise reprioritization.
Proof-of-concept availabilityNo reputable public PoC or exploit code was located in quick checks of public search results and Exploit-DB. Chromium bug 501739206 is restricted, so attackers with private research may still chain it.
EPSS0.00066 from the user-supplied intel, which is *extremely low* and directionally consistent with a chain-dependent browser flaw rather than a mass-exploited initial-access bug.
CVSS vector meaningCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H says remote, high complexity, no auth, user interaction required. The missing nuance is that the description also requires an *already compromised renderer*, which is massive real-world friction not obvious from a topline 7.5.
Affected versionsGoogle Chrome before 149.0.7827.53 on Linux and before 149.0.7827.53/54 on Windows/macOS; NVD models this broadly as Chrome versions below 149.0.7827.53.
Fixed versionsPatched in Chrome 149.0.7827.53 for Linux and 149.0.7827.53/54 for Windows/Mac per the Chrome stable release advisory.
Disclosure timelineChrome stable desktop update published 2026-06-02; NVD record published 2026-06-04; NVD last modified 2026-06-05.
Reporter / discovererReported by Google on 2026-04-11 in the Chrome stable advisory, not by an external researcher.
Scanning / exposure telemetry*Inference:* this is client-side browser code, not a listening service, so Shodan/Censys/FOFA/GreyNoise exposure counts are not decision-grade here. Internet scan telemetry is far less relevant than browser fleet version telemetry.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.4/10)

The decisive factor is the prerequisite that the attacker must have *already compromised the renderer process*. That makes this a post-initial-compromise chain component with a sharply narrower exposed population than the vendor's HIGH label implies, and there is no exploitation evidence to push it back up.

HIGH Affected versions and fixed build numbers
HIGH Exploitability prerequisite: compromised renderer required
MEDIUM Operational impact after privilege escalation because Chromium bug details remain restricted

Why this verdict

  • Major downward adjustment: the CVE description itself says the attacker must have *already compromised the renderer process*, which implies a prior successful browser exploit stage.
  • Another downward adjustment: attacker position is effectively *post-initial-access within Chrome*, not clean unauthenticated remote compromise of the endpoint from nothing.
  • Another downward adjustment: exposure population is broad in install base but narrow in *reachable exploitability*; only victims hit by a separate working renderer exploit can use this bug.
  • Another downward adjustment: no KEV listing, no public campaign reporting, and a very low EPSS remove the normal urgency amplifiers.
  • Residual upward pressure: Chrome is ubiquitous, and sandbox/privilege-escalation components are valuable when paired with a renderer bug, so this is not backlog-trash.

Why not higher?

Because this CVE is not a one-click remote takeover by itself. Requiring a separate renderer compromise plus user interaction compounds attacker cost and collapses the real reachable population compared with true standalone browser RCEs or actively exploited zero-days.

Why not lower?

Because browser escape/privilege-escalation primitives matter in real exploit chains, especially on heavily targeted user populations. If an attacker already has renderer execution, this bug may materially improve blast radius inside the browser and help turn a crash-prone foothold into a usable intrusion.

05 · Compensating Control

What to do — in priority order.

  1. Enforce Chrome auto-update and relaunch compliance — Make fleet policy verify that Chrome has actually moved to 149.0.7827.53/54 or later and that users relaunch promptly so the fixed binaries are loaded. For a MEDIUM noisgate verdict there is no mitigation SLA — go straight to the 365-day remediation window, but browsers should still stay in your normal fast evergreen ring.
  2. Harden extension posture — Restrict extension installs to an allowlist, remove unused extensions, and block sideloading where possible. This does not patch the bug, but it reduces the value of landing in a more privileged Extensions context; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window.
  3. Monitor browser crash and exploit-like telemetry — Look for renderer crashes, abnormal child-process trees, rapid browser restarts, and suspicious extension API behavior in EDR/browser telemetry. This is useful because exploitation likely requires a preceding renderer bug, and for MEDIUM there is no mitigation SLA — go straight to the 365-day remediation window.
  4. Keep web filtering and browser isolation tuned — Prevent delivery of the crafted HTML stage with SWG, URL filtering, and remote browser isolation for high-risk users. This only breaks the lure/delivery leg and does not replace patching; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window.
What doesn't work
  • Relying on perimeter exposure scans doesn't help much, because this is not a server-side listening service vulnerability.
  • MFA does not meaningfully reduce exploitability here; the attack lives in the browser process, not an authentication flow.
  • Extension allowlisting alone is not a patch. It reduces post-exploitation value but does not remove the vulnerable Chrome code path.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software-distribution/EDR script runner. Invoke with python3 check_chrome_cve_2026_11149.py; it needs only standard user rights, though Windows registry/path access is more reliable when run in the user context where Chrome is installed.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# check_chrome_cve_2026_11149.py
# Detect whether installed Google Chrome is vulnerable to CVE-2026-11149.
# Outputs exactly one of: VULNERABLE, PATCHED, UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys

TARGET = (149, 0, 7827, 53)


def parse_version(text):
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def cmp_ver(a, b):
    return (a > b) - (a < b)


def run_cmd(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        out = (p.stdout or '') + ' ' + (p.stderr or '')
        return out.strip()
    except Exception:
        return ''


def windows_candidates():
    candidates = []
    for base in [os.environ.get('ProgramFiles'), os.environ.get('ProgramFiles(x86)'), os.environ.get('LocalAppData')]:
        if not base:
            continue
        candidates.append(os.path.join(base, 'Google', 'Chrome', 'Application', 'chrome.exe'))
    return [c for c in candidates if c]


def mac_candidates():
    return [
        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
        os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),
    ]


def linux_candidates():
    bins = []
    for name in ['google-chrome', 'google-chrome-stable', 'chrome', 'google-chrome-beta']:
        p = shutil.which(name)
        if p:
            bins.append(p)
    return bins


def get_version():
    system = platform.system().lower()
    candidates = []

    if 'windows' in system:
        candidates = windows_candidates()
    elif 'darwin' in system:
        candidates = mac_candidates()
    else:
        candidates = linux_candidates()

    for path in candidates:
        if os.path.exists(path) or shutil.which(path):
            out = run_cmd([path, '--version'])
            ver = parse_version(out)
            if ver:
                return ver, path, out

    # Windows registry fallback
    if 'windows' in system:
        try:
            import winreg
            reg_paths = [
                r'SOFTWARE\Google\Chrome\BLBeacon',
                r'SOFTWARE\WOW6432Node\Google\Chrome\BLBeacon',
            ]
            for hive in [winreg.HKEY_CURRENT_USER, winreg.HKEY_LOCAL_MACHINE]:
                for reg_path in reg_paths:
                    try:
                        with winreg.OpenKey(hive, reg_path) as key:
                            value, _ = winreg.QueryValueEx(key, 'version')
                            ver = parse_version(str(value))
                            if ver:
                                return ver, 'registry:' + reg_path, str(value)
                    except OSError:
                        pass
        except Exception:
            pass

    return None, None, None


def main():
    ver, source, raw = get_version()
    if not ver:
        print('UNKNOWN')
        sys.exit(2)

    if cmp_ver(ver, TARGET) < 0:
        print('VULNERABLE')
        sys.exit(1)
    else:
        print('PATCHED')
        sys.exit(0)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a browser exploit-chain component, not a front-of-queue emergency by itself. For a MEDIUM noisgate verdict there is noisgate mitigation SLA — no mitigation SLA, go straight to the 365-day remediation window; the noisgate remediation SLA is to get Chrome to 149.0.7827.53/54 or later within 365 days, while keeping your normal evergreen browser ring tight, prioritizing high-risk user groups and validating relaunch compliance rather than burning an outage window for the whole estate.

Sources

  1. NVD entry for CVE-2026-11149
  2. Chrome Releases stable desktop update for Chrome 149
  3. Chromium issue 501739206
  4. Chromium severity guidelines
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS overview
  7. FIRST EPSS probability and percentile notes
  8. MITRE CWE-20
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.