Inappropriate implementation in Network in Google Chrome prior to 149

CVE-2026-11194 is a Chrome Network-side implementation flaw fixed in Chrome 149.0.7827.53 for Linux and 149.0.7827.53/54 for Windows and macOS. The public Chrome advisory calls it an "inappropriate implementation in Network" that could let a remote attacker leak cross-origin data through a crafted HTML page, and the linked Chromium fix ties the bug to violation reporting logic that failed to sanitize URLs before putting them into COEP and Document Isolation Policy reports.

The vendor's MEDIUM label is fair on paper but still too generous for enterprise patch triage. The reachable impact here looks much narrower than a generic "cross-origin data leak": the public fix shows leakage of URL fragments and credentials in reporting fields, which means the attack needs specific browser security-reporting paths and secrets embedded in URLs in the first place; that is a real confidentiality bug, but not the kind of clean read-anything primitive that earns front-of-queue treatment across 10,000 endpoints.

Why this verdict

• Vendor baseline starts at 6.5, then drops because the public fix narrows the story. The commit tied to bug 503719488 is about stripping fragments, usernames, and passwords from reporting URLs, which is materially smaller than a broad arbitrary cross-origin read.
• User interaction is required. The attacker must get a user onto a crafted page, so this is not wormable, not service-exposed, and not something that turns a browser into an unauthenticated remote foothold by itself.
• Exploit chain depends on specific browser reporting paths and URL-shaped secrets. Requiring COEP/DIP violation reporting plus sensitive data living in URL components is compounding friction that cuts real-world success rates.

Why not higher?

This does not look like a browser sandbox escape, renderer RCE, or clean SOP bypass that hands over arbitrary cross-origin response bodies. The public fix strongly suggests the leak is confined to report serialization of URL metadata, which is a much smaller prize and a much more conditional path.

Why not lower?

It is still a remotely triggerable confidentiality bug in one of the most widely deployed enterprise applications on the planet. If a target workflow still carries secrets in fragments or URL credentials, the attacker can potentially harvest them from browser-generated reports without needing local code execution.

1. Enforce browser currency — Use your normal endpoint management stack to confirm Chrome is at or above 149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows/macOS. Because this is a LOW noisgate verdict, there is no formal mitigation SLA; treat this as backlog hygiene and close it during routine browser update enforcement.
2. Inventory non-standard Chrome channels — Find endpoints pinned to Extended Stable, frozen VDI images, kiosk builds, gold images, and offline developer workstations. Those are the places where browser bugs linger after auto-update would normally have solved the problem; for a LOW verdict, clean them up in the next regular image or maintenance cycle.
3. Review report collectors — If you operate Reporting API, COEP, or Document Isolation Policy collectors, verify who can receive browser policy reports and whether those endpoints are exposed to third parties. There is no mitigation SLA for this verdict, but tightening report destinations reduces the already small blast radius while patch uptake catches up.
4. Hunt for secrets in URLs — Search internal apps for tokens, credentials, or sensitive state in URL fragments and userinfo components. That is sound engineering regardless of this CVE and it removes the specific data shape this bug appears able to expose; handle in normal secure-development backlog rather than emergency change.

Run this on the target endpoint or via your software-distribution/EDR remote script runner. Invoke it with python3 check_chrome_cve_2026_11194.py on macOS/Linux or py check_chrome_cve_2026_11194.py on Windows; no admin rights are required if Chrome is installed in standard locations.

#!/usr/bin/env python3\n# check_chrome_cve_2026_11194.py\n# Exit codes:\n#   0 = PATCHED\n#   1 = VULNERABLE\n#   2 = UNKNOWN\n\nimport os\nimport platform\nimport re\nimport shutil\nimport subprocess\nimport sys\nfrom typing import Optional, Tuple\n\nFIX_WINDOWS_MAC = (149, 0, 7827, 54)\nFIX_LINUX = (149, 0, 7827, 53)\n\ndef parse_version(text: str) -> Optional[Tuple[int, int, int, int]]:\n    m = re.search(r'(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)', text)\n    if not m:\n        return None\n    return tuple(int(x) for x in m.groups())\n\ndef run_cmd(cmd):\n    try:\n        p = subprocess.run(cmd, capture_output=True, text=True, timeout=10)\n        out = (p.stdout or '') + '\\n' + (p.stderr or '')\n        return p.returncode, out.strip()\n    except Exception:\n        return 99, ''\n\ndef get_version_windows() -> Optional[Tuple[int, int, int, int]]:\n    candidates = [\n        os.path.expandvars(r'%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%LocalAppData%\\Google\\Chrome\\Application\\chrome.exe'),\n    ]\n    ps = shutil.which('powershell') or shutil.which('pwsh')\n    for path in candidates:\n        if os.path.exists(path) and ps:\n            cmd = [ps, '-NoProfile', '-Command', f\"(Get-Item '{path}').VersionInfo.ProductVersion\"]\n            rc, out = run_cmd(cmd)\n            ver = parse_version(out)\n            if ver:\n                return ver\n    return None\n\ndef get_version_macos() -> Optional[Tuple[int, int, int, int]]:\n    candidates = [\n        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',\n        os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),\n    ]\n    for path in candidates:\n        if os.path.exists(path):\n            rc, out = run_cmd([path, '--version'])\n            ver = parse_version(out)\n            if ver:\n                return ver\n    return None\n\ndef get_version_linux() -> Optional[Tuple[int, int, int, int]]:\n    candidates = ['google-chrome', 'google-chrome-stable', 'chromium', 'chromium-browser']\n    for exe in candidates:\n        path = shutil.which(exe)\n        if path:\n            rc, out = run_cmd([path, '--version'])\n            ver = parse_version(out)\n            if ver:\n                return ver\n    return None\n\ndef compare(v1, v2):\n    return (v1 > v2) - (v1 < v2)\n\ndef main():\n    system = platform.system().lower()\n    version = None\n    fixed = None\n\n    if 'windows' in system:\n        version = get_version_windows()\n        fixed = FIX_WINDOWS_MAC\n    elif 'darwin' in system:\n        version = get_version_macos()\n        fixed = FIX_WINDOWS_MAC\n    elif 'linux' in system:\n        version = get_version_linux()\n        fixed = FIX_LINUX\n    else:\n        print('UNKNOWN - unsupported platform for this checker')\n        sys.exit(2)\n\n    if not version:\n        print('UNKNOWN - Google Chrome not found or version unreadable')\n        sys.exit(2)\n\n    vstr = '.'.join(str(x) for x in version)\n    fstr = '.'.join(str(x) for x in fixed)\n\n    if compare(version, fixed) >= 0:\n        print(f'PATCHED - detected Chrome {vstr}, fixed threshold {fstr}')\n        sys.exit(0)\n    else:\n        print(f'VULNERABLE - detected Chrome {vstr}, fixed threshold {fstr}')\n        sys.exit(1)\n\nif __name__ == '__main__':\n    main()\n

Sources

1. Chrome Releases: Stable Channel Update for Desktop (June 2, 2026)
2. Chrome Releases: Early Stable Update for Desktop (May 29, 2026)
3. Chromium fix commit for bug 503719488
4. Chromium Site Isolation documentation
5. Chromium design doc: Blocking Cross-Site Documents for Site Isolation
6. CISA Known Exploited Vulnerabilities Catalog
7. FIRST EPSS overview
8. Vulnerability Lookup entry for CVE-2026-11194