← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11164 · CWE-416 · Disclosed 2026-06-04

Use after free in Blink in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a burglar getting into the building lobby, not the server room

CVE-2026-11164 is a use-after-free in Blink, Chrome's rendering engine, affecting Google Chrome before 149.0.7827.53. The practical outcome is that a remote attacker can serve a crafted HTML page that corrupts renderer memory and achieve arbitrary code execution inside Chrome's sandbox, not directly on the host OS. Fixed builds are 149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows and macOS.

The raw 8.8 score overstates the enterprise urgency if you are prioritizing real-world blast radius. Yes, it is remote, easy to reach, and Chrome is everywhere; but the exploit lands inside the sandbox, requires user interaction, and there is no KEV listing, no public PoC located, and very low EPSS. For a 10,000-endpoint fleet, this is a patch-now-in-your-normal browser wave issue, not an all-hands incident unless a sandbox escape or in-the-wild chain appears.

"Dangerous bug class, but this is renderer-only code exec with user interaction and no live exploitation signal"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get a user onto a malicious page

The attacker needs the victim to render attacker-controlled web content, typically through phishing, malvertising, or a compromised legitimate site. The weaponized tool here is just crafted HTML/JavaScript delivered through the browser; no service exposure is required.
Conditions required:
  • Target uses Chrome below 149.0.7827.53
  • User browses to attacker-controlled or attacker-influenced content
  • Chrome auto-update has not already moved the endpoint past the fix
Where this breaks in practice:
  • Requires user interaction rather than direct unauthenticated service reachability
  • Enterprise DNS filtering, SWG, email filtering, and ad blocking reduce delivery success
  • Chrome updates in the background on many fleets, shrinking the vulnerable window quickly
Detection/coverage: Version scanners and EDR inventory can identify vulnerable builds well; exploit delivery itself is usually only visible via web proxy, DNS, or email telemetry, not traditional network vuln scans.
STEP 02

Trigger the Blink use-after-free

Once the page renders, attacker-controlled DOM, layout, or script activity triggers the Blink UAF and corrupts memory in the renderer process. In practice this is a reliability problem for the attacker: weaponization must survive modern browser hardening and version drift.
Conditions required:
  • Victim successfully loads the crafted page
  • The exploit path still matches the victim's exact vulnerable build
  • Exploit is stable enough against Chrome mitigations
Where this breaks in practice:
  • Browser exploit reliability is brittle across minor versions and platforms
  • Crash telemetry, sandboxing, and modern exploit mitigations raise operational cost
  • No public PoC was located, so attacker effort is non-trivial today
Detection/coverage: Exploit-specific signatures are weak. Browser crash spikes, renderer crashes, and anomalous child-process behavior may be detectable, but commodity scanners will not validate exploitability.
STEP 03

Gain code execution in the renderer sandbox

Successful exploitation gives the attacker code execution inside Chrome's sandboxed renderer, which is materially different from arbitrary native code execution on the endpoint. The weaponized outcome is access to the renderer's constrained process context, not immediate host compromise.
Conditions required:
  • The memory corruption exploit succeeds
  • Chrome sandbox remains the only boundary crossed
Where this breaks in practice:
  • Sandbox containment sharply limits direct OS impact
  • Access is typically constrained to what the renderer process can reach
  • EDR child-process, injection, or unusual browser behavior detections may catch noisy follow-on actions
Detection/coverage: Most version-based scanners stop at 'vulnerable build.' EDR has a better chance than vuln scanning to notice abnormal Chrome process behavior after exploitation.
STEP 04

Need a second move for real endpoint impact

To turn this into durable host compromise, the attacker usually needs a sandbox escape, local privilege escalation, credential theft from browser-accessible material, or high-value in-session abuse. That follow-on stage is where enterprise harm becomes severe, but it is not provided by this CVE alone.
Conditions required:
  • Attacker has a usable post-renderer objective
  • A second vulnerability or accessible high-value browser context exists
  • Defensive controls do not interrupt the chain
Where this breaks in practice:
  • Requires chaining beyond the disclosed bug
  • Modern MFA, application isolation, and EDR limit post-exploitation value
  • Many enterprises treat browser compromise as suspicious long before it becomes full host takeover
Detection/coverage: Detections are mostly on the follow-on behavior: token theft, suspicious child processes, credential store access, or lateral movement. The single-CVE browser bug by itself is hard to conclusively observe.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation located at assessment time, and not listed in CISA KEV as of 2026-06-06.
PoC availabilityNo public PoC or exploit repo located for CVE-2026-11164. The Chromium issue reference is restricted, which is normal for fresh Chrome memory-corruption fixes.
EPSS0.0008 from the supplied intel, which is extremely low for near-term observed exploitation probability. Percentile was not authoritatively confirmed from primary-source data during this assessment.
KEV statusNot KEV-listed. That removes the strongest 'drop everything' signal defenders usually use for browser bugs.
CVSS vector readoutCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H means remote and low-complexity once the user loads the page, but UI:R matters operationally and the disclosed impact is inside the sandbox.
Affected versionsChrome before 149.0.7827.53 according to the CVE/NVD record. Google and the Canadian Cyber Centre describe fixed desktop builds as 149.0.7827.53/54 for Windows/macOS and 149.0.7827.53 for Linux.
Fixed versions149.0.7827.53 (Linux) and 149.0.7827.53/54 (Windows/macOS). There is no separate distro backport signal in the cited sources; this is a standard Chrome desktop version bump.
Exposure realityThis is client-side endpoint software, not an internet-facing service, so Shodan/Censys/FOFA-style exposure counts are not useful here. Reachability is broad because Chrome is common, but exploitability depends on getting users to browse attacker content.
Disclosure timelineVendor fix shipped on 2026-06-02 in the Chrome 149 stable update; the CVE record shows 2026-06-04 publication in NVD.
Researcher / reportingThe public CVE entry does not name a reporter for this issue, and the linked Chromium issue is restricted. NVD also preserves the note "Chromium security severity: Medium", which is a useful sanity check against the supplied 8.8/HIGH baseline.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.3/10)

The decisive factor is sandboxed impact: this bug yields code execution in the renderer, not direct host compromise. That single constraint, combined with required user interaction and no exploitation signal, pushes this out of the emergency tier even though Chrome's install base is enormous.

HIGH Affected version and fixed-build mapping
MEDIUM Assessment that standalone enterprise impact is materially reduced by sandbox confinement
MEDIUM Absence of public PoC and exploitation evidence at assessment time

Why this verdict

  • Renderer-only impact: the disclosed outcome is arbitrary code execution inside Chrome's sandbox, which is a major downward adjustment from generic browser RCE scoring that implicitly feels like endpoint takeover.
  • User interaction required: the attacker needs a victim to load a crafted page, which implies phishing, malvertising, or a compromised site rather than direct wormable reach.
  • No live-fire intel: no KEV listing, no public PoC located, and very low EPSS all argue against emergency treatment.
  • Exposure is wide but not scan-addressable: Chrome is everywhere, but this is endpoint software rather than an externally exposed service, so an attacker still needs content delivery success on each victim.
  • Modern controls add friction: SWG, DNS filtering, ad blocking, EDR, and aggressive Chrome auto-update all suppress real exploitation volume compared with the raw CVSS baseline.

Why not higher?

If this were a sandbox escape, or if there were evidence of active chaining with a second Chrome bug, this would move sharply upward. As disclosed, the exploit stops at the renderer boundary, and that is exactly the kind of prerequisite chain that should compress severity for enterprise patch scheduling.

Why not lower?

It still deserves attention because Chrome is ubiquitous, malicious page delivery is cheap, and memory corruption in a browser renderer is a serious foothold even when sandboxed. If you have privileged users, unmanaged browsing, or weak outbound web controls, the practical risk is higher than a routine low-severity desktop bug.

05 · Compensating Control

What to do — in priority order.

  1. Force browser auto-update compliance — Make sure managed Windows, macOS, and Linux endpoints are actually receiving Chrome stable updates and are not pinned below the fixed build. For a MEDIUM verdict there is no noisgate mitigation SLA; use this as immediate hygiene while you work the 365-day remediation window.
  2. Reduce exposure to untrusted web content — Tighten Secure Web Gateway, DNS filtering, category blocking, and ad/tracker controls for high-risk user groups to reduce attacker success at the required page-load stage. There is no mitigation SLA for MEDIUM here, so deploy in the next normal browser-hardening cycle while patching proceeds.
  3. Prioritize high-risk user rings — Move administrators, developers, finance, executives, and browser-heavy workstations to the front of your Chrome update ring because their browsing footprint and token value make renderer compromise more useful to an attacker. Even without a mitigation SLA, do this early in the remediation window.
  4. Hunt for version drift — Use EDR, MDM, or software inventory to find hosts stuck on old Chrome builds, dormant VDI images, or Linux systems with disabled repo updates. These stragglers matter more than the average endpoint because Chrome normally self-updates quickly.
  5. Watch for suspicious Chrome child-process behavior — Tune EDR for unusual chrome process spawning, token theft patterns, injection, or abnormal access to credential stores, because meaningful harm from this CVE alone usually shows up in the follow-on stage. Keep those detections in place until your vulnerable population is materially reduced.
What doesn't work
  • A network vulnerability scan will not tell you whether an attacker can reach this through the browser; this is not a server-side exposure problem.
  • MFA alone does not stop initial renderer exploitation; it helps only if the attacker tries to convert browser foothold into session abuse later.
  • A WAF is mostly irrelevant unless you control the exact web app used for delivery; the exploit can arrive through any malicious or compromised page on the open web.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your fleet agent, not from an auditor workstation. Invoke it with python3 chrome_cve_2026_11164_check.py on macOS/Linux or py chrome_cve_2026_11164_check.py on Windows; standard user rights are enough because it only reads version metadata and common registry keys.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3\n# CVE-2026-11164 Chrome version checker\n# Exit codes:\n#   0 = PATCHED\n#   1 = VULNERABLE\n#   2 = UNKNOWN\n\nimport os\nimport platform\nimport re\nimport subprocess\nimport sys\n\nFIXED = (149, 0, 7827, 53)\n\ndef parse_version(text):\n    if not text:\n        return None\n    m = re.search(r'(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)', text)\n    if not m:\n        return None\n    return tuple(int(x) for x in m.groups())\n\ndef version_str(v):\n    return '.'.join(str(x) for x in v) if v else 'UNKNOWN'\n\ndef compare(v1, v2):\n    return (v1 > v2) - (v1 < v2)\n\ndef run_cmd(cmd):\n    try:\n        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)\n        if p.returncode == 0:\n            return (p.stdout or p.stderr).strip()\n    except Exception:\n        pass\n    return None\n\ndef get_windows_version():\n    try:\n        import winreg\n    except Exception:\n        return None\n\n    reg_paths = [\n        (winreg.HKEY_CURRENT_USER, r'Software\\Google\\Chrome\\BLBeacon', 'version'),\n        (winreg.HKEY_LOCAL_MACHINE, r'Software\\Google\\Chrome\\BLBeacon', 'version'),\n        (winreg.HKEY_LOCAL_MACHINE, r'Software\\WOW6432Node\\Google\\Chrome\\BLBeacon', 'version'),\n    ]\n\n    for hive, path, name in reg_paths:\n        try:\n            with winreg.OpenKey(hive, path) as key:\n                value, _ = winreg.QueryValueEx(key, name)\n                v = parse_version(str(value))\n                if v:\n                    return v\n        except Exception:\n            continue\n\n    candidates = [\n        os.path.expandvars(r'%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%LocalAppData%\\Google\\Chrome\\Application\\chrome.exe'),\n    ]\n\n    for exe in candidates:\n        if exe and os.path.exists(exe):\n            out = run_cmd([exe, '--version'])\n            v = parse_version(out)\n            if v:\n                return v\n    return None\n\ndef get_macos_version():\n    plist_path = '/Applications/Google Chrome.app/Contents/Info.plist'\n    if os.path.exists(plist_path):\n        try:\n            import plistlib\n            with open(plist_path, 'rb') as f:\n                data = plistlib.load(f)\n            v = parse_version(str(data.get('CFBundleShortVersionString', '')))\n            if v:\n                return v\n        except Exception:\n            pass\n\n    candidates = [\n        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',\n        os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),\n    ]\n    for exe in candidates:\n        if os.path.exists(exe):\n            out = run_cmd([exe, '--version'])\n            v = parse_version(out)\n            if v:\n                return v\n    return None\n\ndef get_linux_version():\n    candidates = [\n        ['google-chrome', '--version'],\n        ['google-chrome-stable', '--version'],\n        ['chromium-browser', '--version'],\n        ['chromium', '--version'],\n    ]\n    for cmd in candidates:\n        out = run_cmd(cmd)\n        v = parse_version(out)\n        if v:\n            return v\n    return None\n\ndef main():\n    system = platform.system().lower()\n    detected = None\n\n    if 'windows' in system:\n        detected = get_windows_version()\n    elif 'darwin' in system:\n        detected = get_macos_version()\n    elif 'linux' in system:\n        detected = get_linux_version()\n\n    if not detected:\n        print('UNKNOWN: Could not determine installed Google Chrome version')\n        sys.exit(2)\n\n    if compare(detected, FIXED) < 0:\n        print(f'VULNERABLE: Chrome {version_str(detected)} is older than fixed baseline {version_str(FIXED)}')\n        sys.exit(1)\n\n    print(f'PATCHED: Chrome {version_str(detected)} is at or above fixed baseline {version_str(FIXED)}')\n    sys.exit(0)\n\nif __name__ == '__main__':\n    main()\n
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like a Chrome zero-day incident, but do sweep your fleet for version drift and complete the browser update wave. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; practically, that means validate auto-update health now, front-load high-risk user rings this week, and make sure all managed endpoints converge to 149.0.7827.53+ inside your normal browser lifecycle. Unless exploitation evidence emerges, the formal noisgate remediation SLA is within 365 days, with no separate mitigation deadline.

Sources

  1. NVD CVE-2026-11164
  2. Chrome Releases: Stable Channel Update for Desktop (June 2, 2026)
  3. Canadian Centre for Cyber Security advisory AV26-544
  4. Chrome for Testing availability
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS API documentation
  7. Chrome Enterprise: Manage Chrome updates
  8. Chrome Enterprise: Chrome browser release channels
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.