CVE-2026-11159 · Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML pag

01 · The Real Story

This is a peephole in the browser wall, not a door kicked off its hinges

CVE-2026-11159 is an uninitialized-use bug in Chrome's Skia graphics stack that affects Google Chrome versions prior to 149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows and macOS. The stated impact is narrow: a remote attacker can use a crafted HTML page to leak *cross-origin data*, which means confidentiality exposure rather than code execution, persistence, or browser sandbox escape.

Google's MEDIUM 4.3 rating is a little generous for enterprise patch triage and a little harsh if you read it as patch-now emergency. In real fleets this requires a user to hit attacker-controlled content in Chrome, the exploit result is only a low-grade data leak, there is no known KEV entry or public exploitation signal, and there is no public PoC I could validate. That combination pushes this below a normal medium-priority disruption item.

"A browser-side data leak with user interaction and low-impact output; patch it, but don’t break the queue for it."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on attacker HTML

The attacker needs a user to open a malicious page in a vulnerable Chrome build. The practical weapon is just a hosted HTML/JavaScript harness; there is no server foothold requirement, but there *is* a user-interaction dependency because the page has to be rendered in the victim browser.

Conditions required:

Victim is running Chrome earlier than 149.0.7827.53
Victim browses to attacker-controlled content
Chrome protections or policy do not block that content path

Where this breaks in practice:

Requires user interaction, so this is not wormable or drive-by at enterprise scale without a separate delivery mechanism
Web filtering, DNS filtering, Safe Browsing, email/link rewriting, and browser isolation reduce reachable population

Detection/coverage: Version scanners can identify vulnerable Chrome builds reliably. Detection of the initial malicious page visit depends on proxy, DNS, Secure Web Gateway, or browser telemetry rather than host vulnerability scanning.

STEP 02

Trigger the Skia memory flaw

Once rendered, the malicious page must drive the specific Skia code path that reads uninitialized state. The weaponized component is the browser-side JavaScript/graphics primitive chain, but bug details are restricted by Google, so exploit reliability is not publicly established.

Conditions required:

Exploit chain reaches the vulnerable Skia path
Browser build and platform behavior line up with the bug condition

Where this breaks in practice:

Google has not published technical bug details yet, which slows commodity weaponization
Client-side graphics bugs often have version- and platform-specific reliability issues

Detection/coverage: Expect weak preventive scanner coverage beyond version checks. Crash telemetry or browser anomaly reporting may help if exploit attempts are unstable.

STEP 03

Extract same-browser confidential data

The stated impact is leaking cross-origin data, not arbitrary code execution. That means the attacker still has to turn the memory disclosure into useful browser-resident information such as page-derived secrets, tokens, or data visible in the victim session context.

Conditions required:

Victim has valuable browser session state or sensitive content open or reachable
Leak output is stable enough to recover useful bytes

Where this breaks in practice:

Confidentiality impact is explicitly low in the published CVSS vector
The leak may expose only limited or noisy data, not full session takeover

Detection/coverage: This step is hard to detect directly. Focus on browser telemetry, suspicious web destinations, and anomalous authenticated actions downstream if exfiltrated data is later abused.

STEP 04

Operationalize the stolen data

Any real enterprise harm comes only after the attacker uses the leaked information somewhere else. This is where the bug's true severity drops: the CVE is merely the collection primitive, and it still depends on what data was exposed and whether that data is reusable.

Conditions required:

Leaked material is sensitive and actionable
The attacker can use that data before it expires or is invalidated

Where this breaks in practice:

Session expiration, conditional access, re-auth prompts, and MFA can blunt value of leaked data
Blast radius is usually tied to the single browser session, not instant host or domain compromise

Detection/coverage: Identity telemetry, UEBA, and downstream app logs are more useful here than endpoint exploit detection.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found. I found no CISA KEV listing and no credible campaign reporting tied to this CVE.
KEV status	Not listed in CISA Known Exploited Vulnerabilities as checked against the catalog source.
PoC availability	No public PoC validated. Public search did not turn up a reproducible GitHub exploit or researcher write-up for this exact CVE.
EPSS	`0.00035` from the prompt intel, which is roughly 0.035% exploit probability over 30 days; that is firmly low-signal threat activity.
CVSS meaning	`AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N` means remote, no auth, but user interaction is required and the published impact is low confidentiality only with no integrity or availability loss.
Affected versions	Google Chrome prior to `149.0.7827.53`; Google's desktop release note splits that as Linux `149.0.7827.53` and Windows/Mac `149.0.7827.53/54`.
Fixed versions	Upgrade to Chrome `149.0.7827.53` or later on Linux and `149.0.7827.53/54` or later on Windows/macOS. Chromium-based downstream browsers will need their own vendor rebuild cadence.
Disclosure timeline	Chrome stable update published 2026-06-02; the CVE entry surfaced publicly on 2026-06-04; the Chrome issue entry marks the bug as reported on 2026-04-12.
Reporter	Reported by Google, not an external researcher bounty report in the public release note.
Exposure and scanning reality	Shodan/Censys/GreyNoise are mostly irrelevant here. This is browser-client exposure, not an internet-exposed server socket, so external attack-surface counts do not map cleanly to enterprise risk.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.4/10)

The deciding factor is user interaction plus low-impact output: the bug needs a victim browsing event and only advertises a limited confidentiality leak, not code execution or sandbox escape. With no KEV listing, no validated public PoC, and no confirmed active exploitation, this is a real but low-urgency browser hygiene item rather than a front-of-queue incident.

HIGH Affected version boundary and vendor-issued fix

MEDIUM Assessment that exploitability is low in real enterprise fleets

LOW Absence of public PoC or campaign evidence may change as Google lifts bug restrictions

Why this verdict

Down one notch for user interaction: this is UI:R, so the attacker still needs a delivery path and a victim browsing event; that sharply reduces autonomous exploitation potential.
Down again for blast radius: the stated impact is only C:L with I:N/A:N, so this is a data leak primitive, not host takeover, sandbox escape, or durable foothold.
Down again for current threat intel: no KEV, no validated public exploit, and a very low EPSS score all argue against emergency prioritization despite Chrome's huge install base.

Why not higher?

If this were remote code execution, a sandbox escape, or a no-click same-origin-policy break, it would climb fast because Chrome is everywhere. But the published impact is a limited browser-side confidentiality leak, and the attack chain depends on a user rendering attacker content first.

Why not lower?

It is still a remotely triggerable browser bug in one of the most widely deployed enterprise applications. Even low-grade cross-origin leakage can matter when the victim is already authenticated to sensitive SaaS apps, so this is not something to ignore outright.

05 · Compensating Control

What to do — in priority order.

Force browser auto-update — Make sure Chrome updates are not pinned behind broad change windows; for a LOW verdict there is no SLA beyond backlog hygiene, but this is still the cleanest fix path because vulnerable clients are easy to inventory and update.
Route risky browsing through isolation or SWG controls — Use browser isolation, secure web gateway policy, or category/domain blocking for untrusted destinations to cut the delivery path. For a LOW verdict there is no formal mitigation SLA, so apply where already available rather than launching a special project.
Tighten Chrome version compliance reporting — Build a view of endpoints below 149.0.7827.53 so the browser team can drain laggards. This matters because browser CVEs age badly once technical details are unsealed, even when they start life as low-priority disclosures.
Watch identity telemetry for reuse of browser-resident data — Because the likely business impact is downstream abuse of leaked session data, alert on unusual token reuse, impossible travel, and anomalous SaaS actions. That is not a substitute for patching, but it narrows the damage window if the bug is exploited.

What doesn't work

Relying on EDR alone does not help much; this is a browser-rendering issue that may never drop a payload or spawn an obviously malicious process.
Treating this like an internet-facing server exposure with Shodan-style perimeter hunting is the wrong model; the vulnerable surface is the endpoint browser estate.
Blocking only known exploit binaries is ineffective because the practical weapon is just crafted web content rendered in the browser.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software inventory agent to check the installed Chrome version locally. Invoke it with python3 chrome_cve_2026_11159_check.py; no admin rights are required if the standard install paths and registry/plist metadata are readable, though broader filesystem visibility improves detection on Linux.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3\n# CVE-2026-11159 Chrome version check\n# Outputs: VULNERABLE / PATCHED / UNKNOWN\n# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN\n\nimport os\nimport platform\nimport re\nimport shutil\nimport subprocess\nimport sys\nfrom pathlib import Path\n\nTARGET = (149, 0, 7827, 53)\n\n\ndef parse_version(text):\n    if not text:\n        return None\n    m = re.search(r'(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)', text)\n    if not m:\n        return None\n    return tuple(int(x) for x in m.groups())\n\n\ndef cmp_version(a, b):\n    return (a > b) - (a < b)\n\n\ndef run_cmd(cmd):\n    try:\n        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)\n        if p.returncode == 0:\n            return p.stdout.strip()\n    except Exception:\n        pass\n    return None\n\n\ndef get_windows_version():\n    # Try common install paths first\n    candidates = [\n        os.path.expandvars(r'%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%LocalAppData%\\Google\\Chrome\\Application\\chrome.exe'),\n    ]\n    for exe in candidates:\n        if exe and os.path.exists(exe):\n            out = run_cmd([\n                'powershell', '-NoProfile', '-Command',\n                f\"(Get-Item '{exe}').VersionInfo.ProductVersion\"\n            ])\n            v = parse_version(out)\n            if v:\n                return v, exe\n\n    # Registry fallback\n    reg_paths = [\n        r'HKLM\\SOFTWARE\\Google\\Chrome\\BLBeacon',\n        r'HKLM\\SOFTWARE\\WOW6432Node\\Google\\Chrome\\BLBeacon',\n        r'HKCU\\SOFTWARE\\Google\\Chrome\\BLBeacon',\n    ]\n    for key in reg_paths:\n        out = run_cmd(['reg', 'query', key, '/v', 'version'])\n        v = parse_version(out)\n        if v:\n            return v, key\n    return None, None\n\n\ndef get_macos_version():\n    app = '/Applications/Google Chrome.app/Contents/Info.plist'\n    if os.path.exists(app):\n        out = run_cmd(['/usr/bin/defaults', 'read', app.replace('/Contents/Info.plist', ''), 'CFBundleShortVersionString'])\n        v = parse_version(out)\n        if v:\n            return v, app\n    return None, None\n\n\ndef get_linux_version():\n    cmds = [\n        ['google-chrome', '--version'],\n        ['google-chrome-stable', '--version'],\n        ['chromium-browser', '--version'],\n        ['chromium', '--version'],\n    ]\n    for cmd in cmds:\n        if shutil.which(cmd[0]):\n            out = run_cmd(cmd)\n            v = parse_version(out)\n            if v:\n                return v, cmd[0]\n\n    paths = [\n        '/opt/google/chrome/chrome',\n        '/usr/bin/google-chrome',\n        '/usr/bin/google-chrome-stable',\n        '/snap/bin/chromium',\n        '/usr/bin/chromium-browser',\n        '/usr/bin/chromium',\n    ]\n    for p in paths:\n        if os.path.exists(p) and os.access(p, os.X_OK):\n            out = run_cmd([p, '--version'])\n            v = parse_version(out)\n            if v:\n                return v, p\n    return None, None\n\n\ndef main():\n    system = platform.system().lower()\n    version = None\n    source = None\n\n    if 'windows' in system:\n        version, source = get_windows_version()\n    elif 'darwin' in system:\n        version, source = get_macos_version()\n    elif 'linux' in system:\n        version, source = get_linux_version()\n    else:\n        print('UNKNOWN - unsupported platform:', platform.system())\n        sys.exit(2)\n\n    if not version:\n        print('UNKNOWN - could not determine installed Chrome/Chromium version')\n        sys.exit(2)\n\n    # For Chrome desktop, patched floor is 149.0.7827.53 or newer.\n    # Windows/macOS may show .54, which is also >= target.\n    if cmp_version(version, TARGET) < 0:\n        print(f'VULNERABLE - detected version {".".join(map(str, version))} from {source}; expected >= 149.0.7827.53')\n        sys.exit(1)\n    else:\n        print(f'PATCHED - detected version {".".join(map(str, version))} from {source}; meets >= 149.0.7827.53')\n        sys.exit(0)\n\n\nif __name__ == '__main__':\n    main()\n

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as browser hygiene, not a fire drill: identify endpoints still below Chrome 149.0.7827.53, let auto-update catch the bulk, and clean up pinned or long-offline systems in normal desktop operations. For a LOW verdict there is no noisgate mitigation SLA and noisgate remediation SLA is backlog hygiene, so you do not need a special temporary control campaign unless your estate is slow to auto-update; just make sure the patch is absorbed in the next routine browser maintenance cycle and document any frozen exception groups.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.