CVE-2026-11183 · Out of bounds read in GWP-ASan in Google Chrome prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information

01 · The Real Story

This is a peek through a cracked mail slot, not a master key

CVE-2026-11183 is an out-of-bounds read in Chrome's GWP-ASan-related code path that can disclose process memory. The affected range is Google Chrome before 149.0.7827.53 on Linux and before 149.0.7827.53/.54 on Windows and macOS, with disclosure on 2026-06-04.

I would downgrade the vendor's Medium for enterprise patch-priority purposes because the narrative says local attacker, which means the attacker is already on the endpoint. That is a huge real-world friction point versus a true drive-by browser bug, and it matters more than the nominal AV:N/UI:R vector in the supplied CVSS, which appears inconsistent with the published description.

"Post-compromise local info leak in Chrome, not a fleet-fire remote takeover"

02 · The Attack Path

3 steps from start to impact.

STEP 01

Get code onto the endpoint

The attacker first needs local execution or a local account on the target workstation. In practice that means phishing malware, a malicious insider, abuse of an existing foothold, or some other already-successful endpoint compromise.

Conditions required:

Local code execution or local user access on the target device
Ability to run untrusted code without being blocked

Where this breaks in practice:

This is already post-initial-access; it is not an internet-reachable opening move
EDR, application control, SmartScreen, Gatekeeper, and basic user privilege separation commonly break this stage

Detection/coverage: Good coverage from EDR and endpoint telemetry for suspicious unsigned binaries, script launchers, and new persistence mechanisms; poor CVE-specific detection.

STEP 02

Reach a vulnerable Chrome build and trigger the bug

The attacker then needs a Chrome build older than 149.0.7827.53 and a way to exercise the vulnerable memory-read path. Because the flaw is described in GWP-ASan, there is likely additional reliability friction compared with mainstream renderer RCE chains; that is an inference from the component context, not a vendor statement.

Conditions required:

Chrome version older than the fixed build
Chrome installed and available to the attacker's local session
A trigger path that reaches the vulnerable GWP-ASan code

Where this breaks in practice:

Chrome auto-update sharply narrows the vulnerable population over time
The bug is an out-of-bounds read, not an execution primitive
If the GWP-ASan context reflects sampled or diagnostic-style paths, exploit reliability may be inconsistent

Detection/coverage: Version scanners can flag outdated Chrome. Exploit-path detection is weak unless the trigger causes crashes, unusual child-process behavior, or browser instability visible to EDR/crash telemetry.

STEP 03

Harvest memory-resident data

If the read succeeds, the attacker may recover data present in the affected Chrome process memory, such as page data, tokens, or other sensitive session material. The blast radius is usually the local user's browser context rather than the whole fleet or domain.

Conditions required:

Sensitive data present in the targeted Chrome process at trigger time
Ability to collect and parse the leaked memory

Where this breaks in practice:

Impact is confidentiality-only in the supplied intel
High-value data must actually be resident in the reachable process memory
Enterprise browser isolation, token hardening, and session expiry reduce practical payoff

Detection/coverage: Little direct network visibility. Correlate browser crash spikes, suspicious local tooling around browser processes, and post-exploitation credential/token use.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No evidence of active exploitation found in retrieved sources, and not listed in CISA KEV.
Public PoC availability	No public PoC for `CVE-2026-11183` was found in retrieved primary sources. Chrome often keeps bug details restricted until patch adoption is broad.
EPSS	`0.00014` per user-supplied intel, which is extremely low. EPSS percentile was not confirmed from retrieved primary sources.
KEV status	Not KEV-listed as of this assessment; therefore no CISA due date exists for this CVE.
CVSS vector and interpretation	Supplied vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N` (`6.5`, Medium). That reads like a user-driven remote content bug, but the published title says local attacker, so the vector and narrative appear inconsistent.
Affected versions	Google Chrome before `149.0.7827.53` on Linux and before `149.0.7827.53/.54` on Windows/macOS per Chrome release and national CERT advisories.
Fixed versions	Upgrade to `149.0.7827.53` on Linux and `149.0.7827.53/.54` on Windows/macOS. For distro-packaged Chromium, backport status is distro-specific and should not be inferred from upstream Chrome numbering alone.
Exposure / scanning reality	This is a client-side browser flaw, so internet census platforms like Shodan/Censys/FOFA are largely irrelevant. Exposure is driven by endpoint fleet versioning, not public service enumeration.
Disclosure date	2026-06-04.
Reporter / researcher	Not confirmed in retrieved sources. Chrome security bug details are often temporarily restricted during rollout.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.7/10)

The decisive factor is that the published description says local attacker, which turns this from a browser drive-by concern into a post-compromise endpoint amplifier. Once a vulnerability already assumes local execution, the reachable population and operational urgency both drop hard unless there is evidence of active chaining or exploitation at scale.

HIGH Affected/fixed version range

MEDIUM Exploitability reassessment, because the supplied CVSS vector conflicts with the local-attacker description

Why this verdict

Requires local foothold: the title says *local attacker*, which implies the attacker is already on the box. That is a major downward adjustment from the vendor's remote-style AV:N/PR:N/UI:R baseline.
Confidentiality-only outcome: the supplied impact is information disclosure, not code execution, privilege escalation, or service-killing availability loss.
No exploitation pressure: no KEV entry, extremely low EPSS, and no public PoC found in retrieved sources all argue against emergency fleet-wide handling.

Why not higher?

If this were a clean unauthenticated remote browser exploit with consistent vendor language, a Medium might be fair. But once the path requires local attacker position, you are no longer prioritizing initial compromise prevention; you are prioritizing a narrower post-compromise data leak.

Why not lower?

I would not mark it IGNORE because Chrome is everywhere and browser process memory can hold useful session data. If you have kiosk, shared workstation, developer, or high-value admin-browsing populations pinned on old Chrome builds, the local info-leak still has real defensive value.

05 · Compensating Control

What to do — in priority order.

Enforce browser auto-update — Make sure Chrome's enterprise update channel is functioning and that devices are not pinned below 149.0.7827.53/.54. For a LOW verdict there is no SLA (treat as backlog hygiene), so this should be folded into normal browser servicing rather than emergency change windows.
Clamp down on local execution — Use application control, EDR prevention, SmartScreen/Gatekeeper, and least-privilege to stop the prerequisite local foothold that this CVE depends on. Because this flaw is only interesting after code lands on the endpoint, these controls do more practical risk reduction than treating the CVE itself as a crisis.
Protect browser sessions for privileged users — Apply hardened browser profiles, short-lived tokens, and separate admin activity from day-to-day browsing on sensitive populations. This reduces the value of any process-memory disclosure if a local attacker does get code execution.
Hunt for version laggards — Query endpoint management, software inventory, or EDR to find systems still running pre-fix Chrome builds. For LOW, there is no formal mitigation deadline, but identifying pinned or broken-update cohorts is the right hygiene task.

What doesn't work

A WAF does not help because this is not a server-side web application issue.
Perimeter network scanning does not help because Chrome endpoints are not meaningfully enumerable like internet-facing services.
Pure MFA does not stop the memory-read itself; it only helps with some downstream token-abuse scenarios.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software-distribution/EDR scripting channel. Invoke it with python3 chrome_cve_2026_11183_check.py or python chrome_cve_2026_11183_check.py "C:\Program Files\Google\Chrome\Application\chrome.exe"; it needs only normal user privileges to read the Chrome binary version.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# Check Google Chrome version for CVE-2026-11183
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

import os
import platform
import re
import subprocess
import sys
from pathlib import Path

FIXED = (149, 0, 7827, 53)


def parse_version(text):
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def version_to_str(v):
    return '.'.join(str(x) for x in v)


def cmp_ver(a, b):
    return (a > b) - (a < b)


def run_cmd(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        out = (p.stdout or '') + '\n' + (p.stderr or '')
        return out.strip()
    except Exception:
        return ''


def check_explicit_path(pth):
    p = Path(pth)
    if not p.exists():
        return None, f'Path not found: {pth}'
    return get_version_from_path(str(p))


def get_version_from_path(pth):
    system = platform.system()
    if system == 'Windows':
        # Use PowerShell to read file version without needing pywin32
        cmd = [
            'powershell', '-NoProfile', '-Command',
            f"(Get-Item '{pth}').VersionInfo.ProductVersion"
        ]
        out = run_cmd(cmd)
        v = parse_version(out)
        return v, pth
    else:
        out = run_cmd([pth, '--version'])
        v = parse_version(out)
        return v, pth


def find_linux():
    candidates = [
        'google-chrome',
        'google-chrome-stable',
        '/opt/google/chrome/google-chrome',
        '/usr/bin/google-chrome',
        '/usr/bin/google-chrome-stable',
    ]
    for c in candidates:
        out = run_cmd([c, '--version']) if not c.startswith('/') else run_cmd([c, '--version'])
        v = parse_version(out)
        if v:
            return v, c
    return None, None


def find_macos():
    candidates = [
        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
        str(Path.home() / 'Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),
    ]
    for c in candidates:
        if os.path.exists(c):
            out = run_cmd([c, '--version'])
            v = parse_version(out)
            if v:
                return v, c
    return None, None


def find_windows():
    local = os.environ.get('LOCALAPPDATA', '')
    program_files = os.environ.get('ProgramFiles', '')
    program_files_x86 = os.environ.get('ProgramFiles(x86)', '')
    candidates = [
        os.path.join(local, 'Google', 'Chrome', 'Application', 'chrome.exe'),
        os.path.join(program_files, 'Google', 'Chrome', 'Application', 'chrome.exe'),
        os.path.join(program_files_x86, 'Google', 'Chrome', 'Application', 'chrome.exe'),
    ]
    for c in candidates:
        if c and os.path.exists(c):
            v, src = get_version_from_path(c)
            if v:
                return v, src
    return None, None


def main():
    if len(sys.argv) > 1:
        v, src = check_explicit_path(sys.argv[1])
    else:
        system = platform.system()
        if system == 'Linux':
            v, src = find_linux()
        elif system == 'Darwin':
            v, src = find_macos()
        elif system == 'Windows':
            v, src = find_windows()
        else:
            print(f'UNKNOWN - Unsupported platform: {system}')
            sys.exit(2)

    if not v:
        print('UNKNOWN - Google Chrome not found or version could not be determined')
        sys.exit(2)

    if cmp_ver(v, FIXED) < 0:
        print(f'VULNERABLE - Found Chrome {version_to_str(v)} at {src}; fixed version is {version_to_str(FIXED)} or later')
        sys.exit(1)
    else:
        print(f'PATCHED - Found Chrome {version_to_str(v)} at {src}; fixed version is {version_to_str(FIXED)}')
        sys.exit(0)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: verify your Chrome update rings are healthy, inventory any endpoints still below 149.0.7827.53/.54, and fix broken auto-update or version pinning rather than opening an emergency patch bridge. For a LOW verdict there is noisgate mitigation SLA: no SLA (treat as backlog hygiene) and noisgate remediation SLA: no SLA (treat as backlog hygiene), so handle it in the next normal browser servicing cycle; if you discover privileged or shared-workstation cohorts stuck on old builds, move those first even though this still does not justify an all-hands response.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.