← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11199 · CWE-20 · Disclosed 2026-06-04

Inappropriate implementation in WebRTC in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a mail slot that only matters if the attacker is already standing in your hallway

CVE-2026-11199 is a WebRTC implementation flaw in Google Chrome that affects versions prior to 149.0.7827.53. The stated impact is *cross-origin data leakage* caused by *malicious network traffic*, which means the attacker is not abusing a normal web page alone; they need to be in a privileged network position where they can observe, alter, or inject traffic into the victim's WebRTC-related flows.

Google's MEDIUM 5.9 label is fair on pure technical severity, but it still reads hotter than the operational reality for most enterprises. The decisive friction is the attacker position: *privileged network attacker* is a narrow prerequisite that usually implies a compromised Wi-Fi, malicious ISP/proxy/VPN node, or already-compromised internal network gear. That sharply reduces reachable population compared with the usual Chrome bugs that only need a crafted page.

"This is a niche on-path privacy leak, not a fleet-wide fire drill"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get on-path to the victim

The attacker first needs a privileged network position between Chrome and the services participating in WebRTC-related traffic. In practice that means a hostile Wi-Fi, rogue gateway, compromised proxy/VPN concentrator, or upstream network control. Commodity tooling such as bettercap or Ettercap can provide the interception and traffic-manipulation foothold, but the hard part is owning the path in the first place.
Conditions required:
  • Attacker can intercept or tamper with the victim's network traffic
  • Victim is using an affected Chrome version prior to 149.0.7827.53
  • WebRTC-relevant traffic is reachable from the victim session
Where this breaks in practice:
  • Requires network adjacency or infrastructure compromise, not just internet reachability
  • Many enterprise users sit behind managed networks, secure VPNs, or trusted egress paths
  • Owning the path at scale is much harder than luring users to a page
Detection/coverage: Traditional vulnerability scanners do not see attacker position. Network IDS may detect ARP spoofing, rogue DHCP, transparent proxying, or unusual STUN/TURN manipulation, but coverage is environment-specific.
STEP 02

Manipulate WebRTC-related traffic

Once on-path, the attacker has to craft or alter network traffic in a way that triggers the flawed WebRTC behavior and leaks cross-origin data. A realistic weaponization path would use a packet injector or transparent proxy stack such as mitmproxy plus custom parsing or replay logic for STUN/TURN or adjacent signaling flows. This is not a one-click exploit path; the CVSS AC:H is doing real work here.
Conditions required:
  • Attacker understands the affected traffic pattern well enough to shape packets precisely
  • The specific victim session exercises the vulnerable code path
Where this breaks in practice:
  • No public PoC was found
  • High attack complexity suggests brittle exploit conditions
  • WebRTC traffic patterns vary by app, policy, and network environment
Detection/coverage: Browser crash telemetry is not the signal here because the impact is information leakage, not execution. NDR may spot malformed or abnormal STUN/TURN behavior if those protocols are monitored.
STEP 03

Induce cross-origin data exposure

If the malformed traffic lands correctly, Chrome may expose data across origin boundaries that should remain isolated. The impact is confidentiality-only according to the published vector: C:H/I:N/A:N. That means the attacker is stealing information, not gaining code execution or persistence.
Conditions required:
  • The victim session contains sensitive browser-resident or protocol-adjacent data worth stealing
  • The leakable data is present during exploitation
Where this breaks in practice:
  • Leak impact depends on what the victim is actively doing at that moment
  • Cross-origin data exposure is usually narrower and noisier than arbitrary code execution
  • No integrity or availability impact increases operational containment
Detection/coverage: DLP, browser telemetry, or web app anomaly detection may catch downstream misuse of stolen tokens or data, but direct detection of the leak itself is weak.
STEP 04

Monetize the stolen data

The attacker still has to turn the leaked information into something operationally useful, such as session data, identifiers, or application content. Follow-on abuse may involve Burp Suite, replay tooling, or custom scripts against the targeted SaaS application. This extra monetization step further limits broad, automated abuse.
Conditions required:
  • Leaked data is valid, sensitive, and reusable
  • Target applications do not block replay or anomaly behavior
Where this breaks in practice:
  • Short-lived tokens and device binding reduce reuse value
  • MFA, conditional access, and session anomaly detection can blunt follow-on abuse
  • Not every leak translates into material business impact
Detection/coverage: Identity telemetry and SaaS audit logs are more likely to reveal the follow-on abuse than the original network-layer leak.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found, and the CVE is not listed in CISA KEV as of this assessment.
PoC availabilityNo public PoC or GitHub exploit repository was found for CVE-2026-11199; current public references are limited to the advisory and CVE record.
EPSS0.00022 from the provided intel, which is effectively negligible and consistent with a narrow, hard-to-weaponize path.
KEV statusNot KEV-listed; no CISA due date applies.
CVSS vectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N — confidentiality-only, but the big limiter is AC:H plus the advisory's explicit *privileged network position* requirement.
Affected versionsGoogle Chrome prior to 149.0.7827.53 on desktop. The CVE record describes the product simply as Google Chrome; no separate Chromium distro backport guidance was found in the accessible sources.
Fixed versionUpdate to 149.0.7827.53 or later. Google published 149.0.7827.53/.54 as the desktop early stable release.
Scanning and exposure dataShodan/Censys/FOFA-style exposure counts are not meaningful here because this is a client-side browser flaw, not an internet-facing server service. The real exposure question is endpoint version prevalence plus whether users traverse hostile or untrusted networks.
Disclosure date2026-06-04.
Reporter / researcherNo reporter credit was visible in the accessible public sources; the linked Chromium issue was not publicly readable without sign-in.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.6/10)

The single biggest downgrade factor is the attacker position: this bug requires a *privileged network attacker*, which is a narrow and expensive prerequisite compared with ordinary browser drive-by exploitation. With no code execution, no KEV listing, no public PoC, and a confidentiality-only outcome, this does not justify enterprise emergency handling.

HIGH Affected version and fixed version
MEDIUM Operational exploitability in real enterprise deployments
MEDIUM Absence of public exploitation evidence at time of assessment

Why this verdict

  • Downward pressure: attacker must already control the network path — unauthenticated remote on the open internet is *not* enough; this implies hostile Wi-Fi, compromised proxy/VPN, or upstream interception.
  • Downward pressure: reachability is narrow — a client-side browser bug cannot be internet-scanned like a server CVE, and only endpoints both running old Chrome and traversing the wrong network conditions are realistically exposed.
  • Downward pressure: modern controls can break the chain — secure VPNs, trusted egress, NAC, rogue AP detection, network segmentation, and identity/session anomaly controls all reduce real-world abuse.
  • Downward pressure: impact is confidentiality-only — there is no published integrity or availability effect, and no browser sandbox escape or arbitrary code execution.
  • Downward pressure: exploit development looks non-trivial — CVSS marks attack complexity high, the advisory calls for malicious network traffic, and no public PoC was found.
  • Small upward pressure: Chrome is everywhere — ubiquity matters, but ubiquity alone does not overcome the on-path requirement.

Why not higher?

If this were a standard crafted-page bug with UI:R or UI:N and no special attacker position, it would stay in MEDIUM. But here the advisory itself narrows the threat to a privileged network attacker, which compounds with high complexity and no public exploitation. That combination kills the mass-exploitation story.

Why not lower?

It is still a real browser confidentiality flaw in a ubiquitous product, and some enterprise users do operate on untrusted hotel, airport, coffee-shop, contractor, or BYOD-adjacent networks. If an attacker does own that path, the bug removes a browser isolation guarantee and can expose sensitive cross-origin data.

05 · Compensating Control

What to do — in priority order.

  1. Force browser auto-update — Make sure Chrome update enforcement is intact across managed endpoints so old builds age out naturally. For a LOW verdict there is no mitigation SLA and no special rush window; treat this as backlog hygiene and use standard endpoint compliance cycles.
  2. Prefer trusted egress paths — Route users through managed VPN, secure web gateway, or known-good enterprise egress when possible, especially for roaming users. This directly cuts the main attack prerequisite by removing attacker-controlled network positions; for LOW, apply as part of routine hardening rather than emergency change work.
  3. Restrict unnecessary WebRTC exposure — Where business use allows it, reduce or control WebRTC usage through enterprise browser policy, extension governance, or app allow-listing. This shrinks the vulnerable code-path population without waiting for perfect patch coverage.
  4. Monitor for rogue network behavior — Watch for ARP spoofing, rogue DHCP, suspicious transparent proxies, anomalous STUN/TURN traffic, and unusual session reuse in SaaS or IdP logs. This will not prevent the bug by itself, but it is the best way to catch the prerequisite network compromise early.
What doesn't work
  • A perimeter WAF does not meaningfully help because the bug sits in the client browser's handling of network traffic, not in your public web server.
  • Server-side patching of internal apps does not remove the browser-side flaw; the vulnerable component is Chrome on the endpoint.
  • EDR alone is weak coverage here because the published impact is information leakage, not malware execution or persistence.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software inventory agent. Invoke it as python3 check_chrome_cve_2026_11199.py on macOS/Linux or py check_chrome_cve_2026_11199.py on Windows; no admin rights are required for basic local checks, but broader filesystem visibility may improve detection on shared systems.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3\n# Check for CVE-2026-11199 exposure by verifying installed Google Chrome version\n# Affected: Chrome < 149.0.7827.53\n# Fixed:    Chrome >= 149.0.7827.53\n# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN\n\nimport os\nimport platform\nimport re\nimport shutil\nimport subprocess\nimport sys\nfrom typing import Optional, Tuple\n\nFIXED = (149, 0, 7827, 53)\n\ndef parse_version(text: str) -> Optional[Tuple[int, int, int, int]]:\n    m = re.search(r'(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)', text)\n    if not m:\n        return None\n    return tuple(int(x) for x in m.groups())\n\ndef run_cmd(cmd):\n    try:\n        p = subprocess.run(cmd, capture_output=True, text=True, timeout=10)\n        out = (p.stdout or '') + (p.stderr or '')\n        return out.strip()\n    except Exception:\n        return ''\n\ndef get_windows_version() -> Optional[Tuple[int, int, int, int]]:\n    candidates = [\n        os.path.expandvars(r'%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%LocalAppData%\\Google\\Chrome\\Application\\chrome.exe'),\n    ]\n    ps = shutil.which('powershell') or shutil.which('pwsh')\n    for path in candidates:\n        if path and os.path.exists(path) and ps:\n            cmd = [ps, '-NoProfile', '-Command', f\"(Get-Item '{path.replace('\\\\', '\\\\\\\\')}').VersionInfo.ProductVersion\"]\n            out = run_cmd(cmd)\n            ver = parse_version(out)\n            if ver:\n                return ver\n    return None\n\ndef get_macos_version() -> Optional[Tuple[int, int, int, int]]:\n    app = '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'\n    if os.path.exists(app):\n        out = run_cmd([app, '--version'])\n        ver = parse_version(out)\n        if ver:\n            return ver\n    return None\n\ndef get_linux_version() -> Optional[Tuple[int, int, int, int]]:\n    for binary in ['google-chrome', 'google-chrome-stable', 'chromium', 'chromium-browser']:\n        path = shutil.which(binary)\n        if path:\n            out = run_cmd([path, '--version'])\n            ver = parse_version(out)\n            if ver:\n                return ver\n    return None\n\ndef compare(a, b):\n    return (a > b) - (a < b)\n\ndef main():\n    system = platform.system().lower()\n    version = None\n\n    if 'windows' in system:\n        version = get_windows_version()\n    elif 'darwin' in system:\n        version = get_macos_version()\n    elif 'linux' in system:\n        version = get_linux_version()\n\n    if not version:\n        print('UNKNOWN - Google Chrome version could not be determined on this host')\n        sys.exit(2)\n\n    version_str = '.'.join(str(x) for x in version)\n    fixed_str = '.'.join(str(x) for x in FIXED)\n\n    if compare(version, FIXED) < 0:\n        print(f'VULNERABLE - Detected Chrome {version_str}; fixed version is {fixed_str} or later')\n        sys.exit(1)\n    else:\n        print(f'PATCHED - Detected Chrome {version_str}; fixed version is {fixed_str}')\n        sys.exit(0)\n\nif __name__ == '__main__':\n    main()\n
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not pull people off higher-value patch work for this one unless you have a user population regularly operating on hostile or semi-trusted networks. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene, confirm Chrome auto-update policy is functioning, and let normal endpoint update waves move clients to 149.0.7827.53+ rather than running an emergency campaign.

Sources

  1. Google Chrome Releases - Early Stable Update for Desktop
  2. CVE Record
  3. CIRCL Vulnerability Lookup entry
  4. Chromium issue reference
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS overview
  7. FIRST EPSS API documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.