CVE-2026-11162 · Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafte

01 · The Real Story

This is a peephole drilled in the browser wall, not a door kicked off its hinges

CVE-2026-11162 affects Google Chrome before 149.0.7827.53 on Linux and before 149.0.7827.53/.54 on Windows and macOS. The practical issue is a malicious web page abusing a CSS-side policy mistake to infer or leak cross-origin data from another origin already open or reachable in the victim's browser context. One wrinkle: Google's June 2, 2026 stable release notes label this CVE as "Insufficient policy enforcement in CSS", while some downstream CVE mirrors describe it as "Inappropriate implementation in CSS".

Google calling this MEDIUM is basically right. The bug is reachable over the web and Chrome's deployment footprint is huge, but the attacker still needs a user to render hostile content and the impact described is limited to confidentiality leakage, not code execution, persistence, or host compromise. The real risk driver is stolen browser-session data from SaaS or internal apps, not a beachhead on the endpoint.

"A real browser data leak, but still a user-driven browser bug—not an enterprise-wide foothold"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on attacker-controlled HTML/CSS

The attacker serves a crafted page that exercises the CSS bug path in Chrome. In practice this is a phishing link, malvertising redirect, compromised website, or embedded content flow rather than a scanner-to-service exploit. Weaponized tool: a custom HTML/CSS proof page, delivered by ordinary web infrastructure.

Conditions required:

Victim uses vulnerable Chrome prior to 149.0.7827.53
Victim loads attacker-controlled content in the browser

Where this breaks in practice:

Requires user interaction (UI:R), so this is not an unauthenticated server-side smash-and-grab
Safe Browsing, email filtering, DNS filtering, and browser isolation can break delivery

Detection/coverage: Traditional network vuln scanners do not prove exploitability here; version inventory and web telemetry are the main coverage.

STEP 02

Exploit CSS policy mistake against cross-origin content

Once rendered, the hostile page abuses the CSS handling flaw to bypass intended browser policy boundaries and derive cross-origin information. This is a browser trust-boundary failure, not a remote code execution chain. Weaponized tool: the crafted CSS/DOM interaction itself, per Google's advisory and downstream CVE descriptions.

Conditions required:

Targeted cross-origin data is present or reachable in the victim browser session
The vulnerable code path is exercised by the crafted page

Where this breaks in practice:

Impact depends on what the user is already signed into or viewing
Leakage is usually narrower than full same-origin read/write compromise

Detection/coverage: There is usually no signature-based detection for the exploit primitive itself; browser crash telemetry is unlikely because this is described as information disclosure, not memory corruption.

STEP 03

Harvest data from the victim's browser context

The attacker extracts whatever the bug exposes—tokens, page-derived secrets, account metadata, or snippets of sensitive cross-origin content—and packages it for exfiltration. The blast radius is the victim's browser session and accessible web apps, not the full host. Weaponized tool: JavaScript exfil logic using normal browser APIs such as fetch() or sendBeacon().

Conditions required:

The victim is authenticated to a useful target application
The leaked data is actually valuable enough to abuse

Where this breaks in practice:

If the user is not signed into sensitive apps, the payoff drops hard
Some modern apps already reduce browser-readable secrets with stricter token handling and partitioning

Detection/coverage: Proxy, CASB, or browser telemetry may catch suspicious outbound posts, but coverage is inconsistent because traffic looks like normal HTTPS.

STEP 04

Pivot with stolen web-session intelligence

Any follow-on impact comes after the browser leak: account takeover attempts, internal portal reconnaissance, or targeted fraud against the user's SaaS sessions. This is where the enterprise pain shows up, but it is a second-stage abuse path. Weaponized tool: the attacker's own SaaS abuse workflow, not a kernel or endpoint exploit.

Conditions required:

Leaked material is reusable outside the original browser session
Target service accepts the stolen data for meaningful actions

Where this breaks in practice:

MFA, token binding, re-auth prompts, device trust, and conditional access can kill reuse
Blast radius is usually user- or app-scoped, not domain-wide

Detection/coverage: Identity telemetry is more useful than host telemetry here: impossible travel, new device sign-ins, token misuse, and unusual app actions.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence found that `CVE-2026-11162` is under active exploitation. Google did not flag it as exploited in the June 2, 2026 stable release notes, and CISA KEV does not list it.
PoC availability	No credible public PoC or exploit repository surfaced in primary-source review. Expect private repros inside the Chromium ecosystem, but there is no broad public weaponization signal yet.
EPSS	`0.00025` per your intel, which is effectively background-noise territory. That aligns with a browser-side info leak lacking public exploit traction.
KEV status	Not KEV-listed. Treat that as a strong downward pressure on urgency because there is no CISA-backed exploitation evidence.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N` maps to remote reachability with required user interaction and confidentiality-only impact. No integrity or availability impact is claimed.
Affected versions	Chrome before `149.0.7827.53` on Linux and before `149.0.7827.53/.54` on Windows/macOS, per Google's stable channel release.
Fixed versions	Google fixed this in Chrome `149.0.7827.53` for Linux and `149.0.7827.53/.54` for Windows/macOS. There is no meaningful distro-backport story here because this is browser vendor packaging, not a shared server library.
Exposure and scanning reality	This is not a Shodan/Censys/FOFA problem because Chrome is a client, not an internet-facing service. Exposure is operationally huge, though: Statcounter shows Chrome with roughly 71%+ worldwide desktop browser share, so the reachable population is large even if internet-wide scanners cannot enumerate it.
Disclosure timeline	Your intel says disclosure was `2026-06-04`; Google's stable fix shipped on 2026-06-02. For defenders, the patch was available before or at broad public awareness.
Advisory wording mismatch	Primary-source note: Google's release notes call it "Insufficient policy enforcement in CSS". Some downstream feeds call it "Inappropriate implementation in CSS" and describe cross-origin leakage via a crafted HTML page. The operational takeaway is unchanged: browser-side policy failure leading to limited data disclosure.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (4.9/10)

The decisive factor is required user-driven browser rendering combined with confidentiality-only impact. This can absolutely matter in enterprises because Chrome is everywhere and SaaS sessions are valuable, but it is still a browser-session leak—not a server-side foothold or endpoint takeover class event.

HIGH Exploit preconditions and blast radius

MEDIUM Exact bug taxonomy due advisory wording mismatch across sources

Why this verdict

Start from vendor 4.3: Google's baseline is sane because the published impact is low-grade cross-origin data exposure with UI:R, not code exec.
Downward pressure from attacker position: the chain begins with a user loading hostile content in a vulnerable browser. That implies phishing, malvertising, or prior traffic control rather than direct unauthenticated remote exploitation of enterprise infrastructure.
Downward pressure from blast radius: exploitation stays inside the victim's browser/session context. Even with a successful leak, this is usually user- or app-scoped rather than domain-wide or host-wide compromise.
Upward pressure from exposure population: Chrome is massively deployed, so even a medium browser bug can hit a lot of endpoints if update hygiene is poor.
Net adjustment: ubiquity nudges the score slightly up from a sterile lab view, but lack of KEV, no public PoC signal, and no integrity/availability impact keep it firmly in MEDIUM.

Why not higher?

There is no evidence of active exploitation, no KEV listing, and no public signal that this is being mass-weaponized. More importantly, the published impact is a data leak with user interaction required; that is materially less urgent than a no-click RCE, sandbox escape, or auth bypass on an enterprise platform.

Why not lower?

This is not harmless. A browser-side cross-origin leak can expose sensitive application data from already-authenticated enterprise users, and Chrome's footprint means the reachable population is large. If your fleet has stale browsers or privileged admins browsing broadly, the business impact is real enough to stay above LOW.

05 · Compensating Control

What to do — in priority order.

Enforce Chrome auto-update health — Use enterprise browser management to ensure Chrome actually advances to 149.0.7827.53+ and that relaunch deadlines are working. For a MEDIUM verdict there is no mitigation SLA, so use this as an operational accelerator while staying inside the <=365 day remediation window.
Harden web delivery controls — Keep Safe Browsing, email URL detonation, DNS/web filtering, and browser reputation controls enabled because they attack the delivery step that this bug depends on. There is no mitigation SLA for MEDIUM, but these controls should remain continuously enforced while you remediate within <=365 days.
Isolate privileged browsing — Route admins, finance, and IdP-heavy users through browser isolation or stricter application control where feasible. This is the best temporary risk reducer because the value of this CVE rises sharply when the user has high-value active sessions; again, no mitigation SLA applies, so use it selectively while patching in the <=365 day window.
Inventory stranded Chrome channels — Find VDI images, kiosk builds, offline laptops, and unmanaged local installs that miss normal browser servicing. Those long-tail systems are where a medium browser bug becomes persistent backlog debt; close them during the <=365 day remediation period.

What doesn't work

A WAF does not solve this because the exploit executes in the victim browser against whatever content the user loads; there is no single enterprise web app chokepoint to shield.
Perimeter internet-facing vulnerability scanning is mostly useless here because Chrome is client software, not a remotely fingerprintable server service.
Classic EDR malware blocking alone is not enough; the payload can just be hostile web content and normal HTTPS exfiltration rather than a dropped binary.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or via your EDR/remote execution platform. Invoke with python3 check_chrome_cve_2026_11162.py on macOS/Linux or py check_chrome_cve_2026_11162.py on Windows; no admin rights are required, but the script must be able to execute the local Chrome binary or read its version from common install paths.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_chrome_cve_2026_11162.py
# Checks whether local Google Chrome is below the fixed version for CVE-2026-11162.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys
from typing import Optional, Tuple

FIXED_LINUX = (149, 0, 7827, 53)
FIXED_WIN_MAC = (149, 0, 7827, 53)  # Accept .53 or later; advisory notes Windows/Mac .53/.54


def parse_version(text: str) -> Optional[Tuple[int, int, int, int]]:
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def run_version(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=8)
        out = (p.stdout or '') + ' ' + (p.stderr or '')
        return parse_version(out)
    except Exception:
        return None


def candidate_paths():
    system = platform.system().lower()
    paths = []
    if system == 'windows':
        envs = [os.environ.get('ProgramFiles'), os.environ.get('ProgramFiles(x86)'), os.environ.get('LocalAppData')]
        for base in envs:
            if not base:
                continue
            paths.append(os.path.join(base, 'Google', 'Chrome', 'Application', 'chrome.exe'))
    elif system == 'darwin':
        paths.extend([
            '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
            os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome')
        ])
    else:
        for name in ['google-chrome', 'google-chrome-stable', 'chromium', 'chromium-browser']:
            resolved = shutil.which(name)
            if resolved:
                paths.append(resolved)
        paths.extend([
            '/usr/bin/google-chrome',
            '/usr/bin/google-chrome-stable',
            '/opt/google/chrome/chrome'
        ])
    return paths


def get_local_version() -> Optional[Tuple[int, int, int, int]]:
    for path in candidate_paths():
        if os.path.exists(path) or shutil.which(path):
            v = run_version([path, '--version'])
            if v:
                return v
    return None


def compare(v1, v2):
    return (v1 > v2) - (v1 < v2)


def main():
    system = platform.system().lower()
    version = get_local_version()

    if not version:
        print('UNKNOWN: Could not determine local Chrome version')
        sys.exit(2)

    fixed = FIXED_WIN_MAC if system in ('windows', 'darwin') else FIXED_LINUX

    if compare(version, fixed) < 0:
        print(f'VULNERABLE: Detected Chrome version {".".join(map(str, version))} < fixed {".".join(map(str, fixed))}')
        sys.exit(1)
    else:
        print(f'PATCHED: Detected Chrome version {".".join(map(str, version))} >= fixed {".".join(map(str, fixed))}')
        sys.exit(0)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not open an emergency war room for this one. Query your fleet for Chrome versions below 149.0.7827.53, verify auto-update and relaunch enforcement are working, and clean up long-tail unmanaged installs; for this MEDIUM reassessment there is noisgate mitigation SLA — no mitigation SLA — go straight to the 365-day remediation window — and the noisgate remediation SLA is <=365 days to get all endpoints onto the fixed build. If you have privileged users who browse widely, move them faster through your normal browser update ring, but this is still normal servicing, not immediate incident-response patching.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.