CVE-2026-11170 · Inappropriate implementation in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to perform OS-level pr

01 · The Real Story

This is a sharp lockpick hidden inside a side door, not a battering ram at the front gate

CVE-2026-11170 is an *inappropriate implementation* flaw in Chrome's Chromoting component on Linux builds prior to 149.0.7827.53. Google listed it in the June 2, 2026 Stable Channel release, and your supplied metadata pegs it to CWE-693 with a vendor HIGH 8.1 vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Public bug details are still restricted, so the exact trigger is not public; what is public is the scope: Linux-only, Chrome-only, and specifically the Chromoting code path.

The vendor score is aggressive for fleet prioritization. In a vacuum, unauthenticated network reach plus OS-level impact deserves attention, but in enterprise reality this is *not* a generic renderer RCE hitting every browser session equally: it is Linux-only, tied to a narrower component, marked high complexity, has no KEV entry, no confirmed in-the-wild exploitation, and no public weaponized PoC I could verify. For a 10,000-host shop, that makes this a MEDIUM operational risk unless your environment has a heavy Linux desktop population using Chrome features that exercise Chromoting.

"Remote-on-paper, but real-world reach is narrowed by Linux-only scope, Chromoting-specific reachability, and high exploit complexity."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a Linux Chrome target on a vulnerable build

The attacker needs a workstation running Google Chrome on Linux below 149.0.7827.53. This is already a population filter: many enterprises have limited Linux desktop numbers, and Chrome auto-update or managed package repos often compress the vulnerable window quickly.

Conditions required:

Target is a Linux desktop or VDI endpoint using Chrome
Installed version is earlier than 149.0.7827.53
The relevant Chromoting code path is present and reachable

Where this breaks in practice:

Linux desktop share is usually far smaller than Windows/macOS in enterprise fleets
Auto-update and repo-driven browser updates shrink dwell time
Public advisories do not show that every browsing session hits the vulnerable path

Detection/coverage: Version scanners and software inventory can usually flag Chrome <149.0.7827.53, but they cannot confirm whether Chromoting was reachable in a given session.

STEP 02

Deliver the trigger into the Chromoting path

A custom exploit would need to steer malicious network traffic or content into the vulnerable Chromoting implementation. There is no public PoC I could verify, and Google's ecosystem still keeps the bug restricted, which is usually a sign the trigger details matter and are not trivial to reproduce from the advisory alone.

Conditions required:

Attacker can get traffic/content to the target browser
The content reaches the vulnerable Chromoting handler
The exploit overcomes the advertised AC:H complexity

Where this breaks in practice:

No public exploit code verified
High attack complexity materially lowers reproducibility
Component-specific reachability is narrower than a normal renderer bug

Detection/coverage: Network IDS and web gateways will have weak signature coverage until bug details are public; browser crash telemetry and EDR process anomaly alerts are more realistic than pure signature matching.

STEP 03

Convert the bug into OS-level execution

Assuming the trigger works, the attacker still has to convert the implementation flaw into meaningful code execution or privilege gain on the Linux host. Chrome's multi-process architecture, site isolation, and Linux sandboxing are not perfect, but they are real friction that turns many theoretical browser bugs into unstable chains.

Conditions required:

The bug yields a controllable primitive, not just a crash
The primitive survives Chrome process isolation and Linux sandbox controls
Host hardening does not kill the chain

Where this breaks in practice:

Exploit reliability on Linux is usually harder than CVSS suggests
Seccomp, namespace isolation, and process separation reduce blast radius
EDR/browser hardening can turn exploit attempts into crashes instead of compromise

Detection/coverage: Look for Chrome child-process crashes, abnormal helper process trees, and denied syscalls or sandbox violations in EDR/host telemetry.

STEP 04

Establish endpoint foothold

If the chain succeeds, the attacker lands code execution on the endpoint under the logged-in user's context or better, depending on the flaw's true impact. At that point the problem becomes standard endpoint defense: credential access, browser token theft, lateral movement, and persistence attempts.

Conditions required:

Initial exploit succeeds end-to-end
Endpoint controls do not block post-exploitation activity

Where this breaks in practice:

Modern EDR often catches the post-exploitation phase even when initial exploit telemetry is weak
Linux endpoints are commonly less numerous and easier to isolate quickly

Detection/coverage: EDR should catch unusual child processes, shell spawns from Chrome, suspicious outbound connections, and persistence artifacts under the user profile.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found. I could not verify KEV inclusion or vendor statements indicating exploitation in the wild.
Public exploit / PoC	None verified. I found no public GitHub PoC or exploit write-up for `CVE-2026-11170`; Google bug details remain restricted at the referenced Chromium issue.
EPSS	0.00097 from your intel block, which is extremely low; the public aggregator snapshot I could access also showed this CVE in the very low exploit-likelihood band.
KEV status	Not KEV-listed per your intel block; I found no evidence of addition to CISA's KEV catalog.
Vendor / public severity mismatch	Google's June 2, 2026 release post lists `CVE-2026-11170` as Medium in the release notes, while your supplied CVSS baseline is 8.1 HIGH. That is a warning sign that the raw vector is overstating field risk.
CVSS vector, interpreted	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` means unauthenticated remote reach on paper, but the `AC:H` flag is doing real work here: successful exploitation likely needs narrow preconditions and careful trigger construction.
Affected versions	Google Chrome on Linux prior to `149.0.7827.53`. The stable channel advisory published June 2, 2026 states Linux moved to `149.0.7827.53`.
Fixed version	`149.0.7827.53` or later on Linux. For distro-packaged Chromium/Chrome, treat vendor-backported builds as patched only if the distro security advisory explicitly says so.
Exposure / scanability	Poorly measurable with internet-wide scan data. This is primarily a client-side browser risk, not a server socket you can count in Shodan/Censys/GreyNoise, so external exposure counts are not a useful prioritization input.
Disclosure / reporting	Disclosed 2026-06-04 in the CVE stream you supplied; Google's stable release went live 2026-06-02 and attributes the issue to Google, reported on 2026-04-13 in the release notes.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.1/10)

The decisive factor is reachability friction: this is Linux-only and sits in the Chromoting component rather than the broad renderer path every Chrome session constantly exercises. Add AC:H, no KEV, no verified PoC, and no exploitation evidence, and this stops looking like a front-of-queue browser fire drill for most enterprises.

HIGH Affected version range and fixed version

MEDIUM Real-world exploitability reduction from Chromoting-specific reachability

HIGH No verified public exploitation or KEV status

Why this verdict

Linux-only scope cuts population hard: this is not a whole-fleet Chrome emergency unless you actually run a meaningful Linux desktop estate.
Chromoting is narrower than the generic web renderer: the public record places the bug in a specific component, which implies fewer real sessions can hit it than a broad renderer or V8 issue.
High attack complexity matters: AC:H plus restricted bug details and no PoC means the path from advisory text to reliable weaponization is not short.
No exploitation evidence: no KEV entry, no verified campaigns, and no public exploit code means there is no current attacker-pressure multiplier pushing this upward.
Browser-client exposure is not internet-enumerable: you cannot justify emergency treatment from Shodan-style exposure because this is an endpoint/browser maintenance problem, not a server perimeter problem.

Why not higher?

If this were a cross-platform renderer or V8 issue with public exploit code, I would keep it high. But Linux-only scope, component-specific reachability, and AC:H compound each other and materially reduce the number of real enterprise systems an attacker can hit and reliably compromise.

Why not lower?

I am not calling this LOW because the *technical* impact is still serious if the chain works: remote, unauthenticated, and potentially host-impacting. A Linux-heavy engineering estate or remote-admin-heavy workflows could make this matter more than the average enterprise baseline.

05 · Compensating Control

What to do — in priority order.

Constrain Linux Chrome rollout channels — Force managed Linux endpoints onto the patched browser build and stop exceptions or pinned legacy versions. There is no mitigation SLA for a MEDIUM verdict; use this immediately where practical and close remaining drift inside the 365-day remediation window.
Tighten Linux endpoint EDR detections — Add or verify detections for Chrome spawning shells, interpreters, package managers, or unusual child processes on Linux. There is no mitigation SLA for a MEDIUM verdict; deploy as standard hardening while you work through browser patching.
Reduce risky browser feature usage on Linux admin workstations — Where operationally possible, minimize optional remote-control/browser-assisted admin workflows that could exercise Chromoting on privileged Linux endpoints. There is no mitigation SLA for a MEDIUM verdict; apply selectively to high-value admin tiers until patch coverage is complete.
Isolate high-value Linux desktop tiers — Keep engineering jump hosts, admin workstations, and developer Linux desktops segmented so a user-context browser compromise has less lateral payoff. There is no mitigation SLA for a MEDIUM verdict; this is a risk-reduction layer, not a substitute for patching.

What doesn't work

A perimeter WAF does not solve this; the vulnerable surface is the local browser client, not your inbound web stack.
Network scanning for open ports does not prioritize this well; there is no meaningful internet-facing service fingerprint to count.
Relying on user training alone is weak here; the supplied vector says no user interaction, so awareness controls are not the primary brake.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux endpoint or through your remote shell/management agent. Invoke it as bash check_chrome_11170.sh; no root is required if Chrome is in the user's PATH, but root may help if you need to inspect system package locations. The script checks common Chrome/Chromium binaries and reports VULNERABLE, PATCHED, or UNKNOWN against fixed version 149.0.7827.53.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_chrome_11170.sh
# Detects whether a Linux host appears vulnerable to CVE-2026-11170 based on browser version.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / unable to determine

set -u

FIXED_VERSION="149.0.7827.53"
CANDIDATES=(
  google-chrome
  google-chrome-stable
  chromium
  chromium-browser
  /opt/google/chrome/chrome
  /usr/bin/google-chrome
  /usr/bin/google-chrome-stable
  /usr/bin/chromium
  /usr/bin/chromium-browser
)

found_bin=""
found_ver=""

version_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

get_version() {
  local bin="$1"
  local out
  out="$($bin --version 2>/dev/null || true)"
  # Examples:
  # Google Chrome 149.0.7827.53
  # Chromium 149.0.7827.53 snap
  printf '%s' "$out" | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1
}

for bin in "${CANDIDATES[@]}"; do
  if command -v "$bin" >/dev/null 2>&1; then
    ver="$(get_version "$bin")"
    if [ -n "$ver" ]; then
      found_bin="$(command -v "$bin")"
      found_ver="$ver"
      break
    fi
  elif [ -x "$bin" ]; then
    ver="$(get_version "$bin")"
    if [ -n "$ver" ]; then
      found_bin="$bin"
      found_ver="$ver"
      break
    fi
  fi
done

if [ -z "$found_bin" ] || [ -z "$found_ver" ]; then
  echo "UNKNOWN: could not find a Chrome/Chromium binary or parse its version"
  exit 2
fi

if version_lt "$found_ver" "$FIXED_VERSION"; then
  echo "VULNERABLE: $found_bin version $found_ver is older than fixed version $FIXED_VERSION"
  exit 1
else
  echo "PATCHED: $found_bin version $found_ver is at or newer than fixed version $FIXED_VERSION"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a managed Linux browser hygiene issue, not an all-hands incident. Use asset inventory to find Linux endpoints running Chrome below 149.0.7827.53, verify whether any high-value admin or engineering tiers rely on Chrome workflows that may touch Chromoting, and close the gap through your normal browser maintenance lane. For a MEDIUM verdict, the noisgate mitigation SLA is no mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is to get the vendor fix fully deployed within 365 days of disclosure, i.e. by 2027-06-04. If your Linux desktop population is tiny, clear it as backlog work; if it is large or privileged, front-load those tiers this quarter rather than waiting for the long tail.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.