01 · The Real Story
This is a peephole in a moving car, not a broken door lock
CVE-2026-11160 is an out-of-bounds read in Chrome's Input component on Linux only. A user running Google Chrome prior to 149.0.7827.53 can be induced to load a crafted HTML page, which may leak data from process memory. The stated impact is confidentiality only: no integrity loss, no availability loss, and no stated sandbox escape or code execution path.
Google's MEDIUM 6.5 baseline is broadly fair, but in enterprise reality this lands a bit lower. The biggest downward pressures are: user interaction is mandatory, the affected population is only Linux Chrome, and the impact is an information disclosure rather than code execution. That still matters for browser fleets, but it is not the kind of Chrome bug that should blow up your patch board unless you have a large Linux desktop or developer population.
"Drive-by capable, but Linux-only, click-required, and info-leak only keeps this out of the urgent queue"
02 · The Attack Path
3 steps from start to impact.
STEP 01
Deliver a malicious page
The attacker needs the victim to render attacker-controlled HTML/JavaScript in vulnerable Chrome on Linux. In practice this means phishing, malvertising, a poisoned link in chat, or a compromised site. There is no evidence of a public weaponized kit for this CVE, so this is currently a custom lure + custom HTML harness problem, not commodity exploitation.
Conditions required:
- Victim uses Google Chrome on Linux prior to 149.0.7827.53
- Victim loads attacker-controlled web content
- Normal web access to the attacker page is allowed
Where this breaks in practice:
- Requires user interaction (
UI:R), so no blind server-side hit - Linux Chrome population is usually far smaller than Windows browser population in enterprises
- URL filtering, safe browsing, email security, and web isolation can kill the lure before the bug matters
Detection/coverage: Vulnerability scanners usually identify this only by version, not exploitability. Secure web gateways, email gateways, and browser telemetry are more likely to see the initial lure than the memory-read trigger itself.
STEP 02
Trigger the Input out-of-bounds read
Once the page is rendered, a crafted sequence of DOM/event/input handling exercises the vulnerable code path in Chrome's
Input component. The offensive tooling here is effectively a custom browser exploit harness embedded in HTML/JS. The result is an out-of-bounds read, which can expose adjacent process memory to attacker-controlled logic.Conditions required:
- Precise trigger path must still be reachable in the target build
- The vulnerable code path is exposed by page-driven input handling
Where this breaks in practice:
- No public PoC was located during source review
- Chrome exploit reliability for memory disclosure bugs often depends on build, timing, and allocator state
- Modern browser hardening and site isolation reduce the value of what can be leaked in one shot
Detection/coverage: EDR rarely gives a clean signature for a renderer-only memory disclosure. Browser crash telemetry and abnormal renderer behavior may help, but this class is generally low-visibility unless it crashes.
STEP 03
Harvest useful memory
The attacker then tries to turn leaked process memory into something actionable: tokens, page data, cross-origin residues, or secrets present in the compromised browser process. The offensive 'tool' is the same exploit harness plus exfiltration logic. This is where the gap between theoretical impact and operational value becomes obvious: not every memory leak yields durable or sensitive material.
Conditions required:
- Sensitive data must actually reside in the readable region at trigger time
- The browser process memory must contain something the attacker can recognize and use
Where this breaks in practice:
- Confidentiality impact is probabilistic, not guaranteed
- Leaked bytes may be unstable, partial, or non-secret
- Blast radius is typically limited to the victim's browser session rather than the host
Detection/coverage: Network detection may catch follow-on exfiltration to attacker infrastructure. The memory disclosure itself is typically below the visibility line of conventional endpoint controls.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No evidence found of active exploitation; not KEV-listed and Google did not frame this as a zero-day in the release material. |
|---|---|
| Public exploit / PoC | No public GitHub/Exploit-DB PoC located during review; assume custom exploit development required today. |
| EPSS | 0.00028 from the supplied intel, which is extremely low. I could not independently verify the percentile from source data available in browsing. |
| KEV status | No. CISA's Known Exploited Vulnerabilities Catalog does not list this CVE. |
| CVSS vector readout | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N means remote, no auth, but user interaction required and confidentiality-only impact. |
| Affected versions | Google Chrome on Linux prior to 149.0.7827.53. |
| Fixed version | Vendor-fixed in 149.0.7827.53. I did not find authoritative distro-backport guidance for Chromium package streams; treat the Google Chrome vendor build as authoritative. |
| Exposure / scanning reality | This is a client-side browser bug, so Shodan/Censys/FOFA-style internet exposure counts are largely irrelevant. Your real exposure is the size of your Linux Chrome fleet and whether users browse untrusted content. |
| Disclosure timeline | Disclosed 2026-06-04; Chrome's archive page shows the bug was reported by Google on 2026-04-12. |
| Reporter | Reported by Google, not an external researcher, per the Chrome release archive entry. |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to MEDIUM (5.2/10)
The decisive factor is mandatory user interaction on a Linux-only browser population for a confidentiality-only bug. This is still a real client-side risk, but the reachable population and likely blast radius are both much narrower than the raw browser-CVSS optics suggest.
HIGH Affected version range and fixed version
MEDIUM Real-world exploitability without a public PoC
MEDIUM Operational impact of the memory disclosure
Why this verdict
- UI-required drops urgency: the attacker needs the victim to browse to hostile content, which moves this out of wormable/server-side territory immediately.
- Linux-only population narrows exposure: most enterprises have a materially smaller Linux desktop/browser estate than Windows, so the exploitable population is usually a minority slice of endpoints.
- Confidentiality-only impact constrains blast radius: this is not stated RCE, sandbox escape, or persistence. The attacker is fishing for process memory, not taking the box.
Why not higher?
There is no KEV listing, no public exploitation evidence, and no public PoC located. More importantly, the chain stops at a memory disclosure on Linux Chrome and still needs a user to render hostile content, which is a meaningful friction stack for enterprise prioritization.
Why not lower?
It is still a remote browser bug against one of the most routinely attacked client surfaces in the enterprise. No authentication is needed, a crafted page is enough to reach the vulnerable code path, and sensitive browser-process memory can still be valuable in targeted operations.
05 · Compensating Control
What to do — in priority order.
- Keep Linux browser auto-update healthy — Make sure Google Chrome update channels on Linux are functioning and not pinned behind stale repos or broken package policies. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but browser updates should still ride your normal endpoint-update cadence rather than waiting for annual backlog cleanup.
- Reduce untrusted web exposure — Use secure web gateways, DNS filtering, and browser isolation for high-risk user groups to cut off the malicious-page prerequisite. This matters most before the patched build is broadly deployed; for a MEDIUM verdict there is no separate mitigation SLA, so implement through standing controls and normal policy tuning.
- Prioritize Linux developer and admin workstations — If you have a small Linux fleet, the likely highest-risk subset is developers, admins, and research users who browse broadly and hold valuable tokens or internal app access in-browser. Move those systems to the front of the normal browser update ring even though this CVE does not justify emergency fleet disruption.
What doesn't work
- Perimeter scanning doesn't help much because this is not an internet-listening service exposure problem.
- Network segmentation of the endpoint alone does not stop a user from browsing to a malicious page and triggering the bug locally in the browser.
- MFA does not prevent initial memory disclosure; it only limits the value of certain leaked credentials after the fact.
06 · Verification
Crowdsourced verification payload.
Run this on the target Linux host or through your endpoint management agent. Invoke it as bash check-chrome-cve-2026-11160.sh; no root is required if the Chrome/Chromium binary is on PATH, though package-manager fallback checks may work better with standard local package visibility.
#!/usr/bin/env bash
# check-chrome-cve-2026-11160.sh
# Determine whether a Linux host is vulnerable to CVE-2026-11160
# Affected: Google Chrome on Linux prior to 149.0.7827.53
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -u
FIXED_VERSION="149.0.7827.53"
FOUND_NAME=""
FOUND_VERSION=""
get_bin_version() {
local bin="$1"
if command -v "$bin" >/dev/null 2>&1; then
local out
out="$($bin --version 2>/dev/null || true)"
echo "$out" | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1
return 0
fi
return 1
}
# Compare dotted versions: returns
# 0 if equal, 1 if first > second, 2 if first < second
vercomp() {
local IFS=.
local i
local -a va=($1) vb=($2)
local len=${#va[@]}
if [ ${#vb[@]} -gt $len ]; then
len=${#vb[@]}
fi
for ((i=0; i<len; i++)); do
local a=${va[i]:-0}
local b=${vb[i]:-0}
if ((10#$a > 10#$b)); then
return 1
fi
if ((10#$a < 10#$b)); then
return 2
fi
done
return 0
}
check_pkg_mgr() {
local v=""
if command -v dpkg-query >/dev/null 2>&1; then
for pkg in google-chrome-stable google-chrome chromium-browser chromium; do
v=$(dpkg-query -W -f='${Version}\n' "$pkg" 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1)
if [ -n "$v" ]; then
FOUND_NAME="$pkg"
FOUND_VERSION="$v"
return 0
fi
done
fi
if command -v rpm >/dev/null 2>&1; then
for pkg in google-chrome-stable google-chrome chromium-browser chromium; do
v=$(rpm -q --qf '%{VERSION}\n' "$pkg" 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1)
if [ -n "$v" ]; then
FOUND_NAME="$pkg"
FOUND_VERSION="$v"
return 0
fi
done
fi
return 1
}
for candidate in google-chrome-stable google-chrome chromium-browser chromium; do
ver=$(get_bin_version "$candidate" || true)
if [ -n "${ver:-}" ]; then
FOUND_NAME="$candidate"
FOUND_VERSION="$ver"
break
fi
done
if [ -z "$FOUND_VERSION" ]; then
check_pkg_mgr || true
fi
if [ -z "$FOUND_VERSION" ]; then
echo "UNKNOWN - no Chrome/Chromium binary or package version found"
exit 2
fi
vercomp "$FOUND_VERSION" "$FIXED_VERSION"
rc=$?
case $rc in
2)
echo "VULNERABLE - $FOUND_NAME version $FOUND_VERSION is older than fixed $FIXED_VERSION"
exit 1
;;
0|1)
echo "PATCHED - $FOUND_NAME version $FOUND_VERSION is at or newer than fixed $FIXED_VERSION"
exit 0
;;
*)
echo "UNKNOWN - unable to compare versions"
exit 2
;;
esac
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: identify your Linux Chrome population, confirm who is still below 149.0.7827.53, and let your normal browser update ring absorb this rather than declaring an emergency. For a MEDIUM reassessment there is noisgate mitigation SLA — no mitigation SLA — go straight to the 365-day remediation window — and the noisgate remediation SLA is ≤365 days; practically, that means patch it in routine browser maintenance, but give extra attention to Linux developer/admin workstations because they hold the most valuable browser-resident secrets.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.