CVE-2026-11207 · Insufficient validation of untrusted input in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perf

01 · The Real Story

This is a vault-door flaw on a building you still have to break into first

CVE-2026-11207 is an *insufficient input validation* bug in Chrome Autofill affecting Google Chrome versions before 149.0.7827.53 on desktop, with related Chrome 149 builds rolling out across channels at the end of May 2026. The published description says a remote attacker could *potentially* trigger a sandbox escape via malicious network traffic, which means the interesting outcome is not page-level abuse but breaking out of Chrome's containment boundary.

The 9.6/CRITICAL number is not how I would run this in an enterprise queue. NVD shows that score as CISA-ADP enrichment, while the Chrome-sourced description itself labels the bug's *Chromium security severity* as Medium; that tracks reality better because a sandbox escape is usually valuable only when paired with a separate renderer/code-execution primitive, and there is no public evidence here of in-the-wild use, KEV listing, or a public weaponized chain.

"This looks scary on paper, but real-world risk drops hard because sandbox escape is usually the second bug, not the first."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the user on attacker-controlled content

The attacker needs the victim to browse to malicious web content or otherwise process attacker-influenced network traffic in Chrome. In practice this is a phishing, ad-tech, watering-hole, or malicious redirect problem, not an internet-facing service problem.

Conditions required:

Victim uses Google Chrome below 149.0.7827.53
Victim reaches attacker-controlled web content
Normal browsing protections do not block delivery

Where this breaks in practice:

Requires user interaction (UI:R) rather than unauthenticated server-side reachability
Safe Browsing, DNS filtering, secure web gateways, and ad/script controls cut down delivery volume
This is endpoint/browser exposure, not broad perimeter exposure

Detection/coverage: Email/web security tooling can often see the delivery stage, but vuln scanners only reliably detect this as a version finding.

STEP 02

Trigger the Autofill validation flaw

The attacker then needs content that reliably exercises the vulnerable Autofill code path and turns bad input handling into a useful primitive. No public PoC or technical write-up was found, and the linked Chromium issue remains restricted, so exploit reliability is unproven from public evidence.

Conditions required:

Specific vulnerable Autofill code path is reachable
Payload shape is compatible with the victim platform/build

Where this breaks in practice:

No public repro or exploit chain located
Restricted bug details reduce copy-paste weaponization
Browser exploit reliability often varies by platform, feature flags, and mitigations

Detection/coverage: Very limited direct detection. Expect at best browser crash telemetry, unusual renderer/browser-process behavior, or EDR child-process/IPC anomalies.

STEP 03

Turn bug impact into a sandbox escape

The published impact claim is a *potential sandbox escape*, meaning the attacker is trying to cross from web content handling into more privileged browser or OS context. In modern Chrome threat models, that is a serious outcome *if* it works, but it is usually the second half of a browser exploit chain rather than a standalone initial-access event.

Conditions required:

The flaw is exploitable beyond a crash
Mitigations such as Chrome sandboxing and platform hardening are bypassed

Where this breaks in practice:

Chrome's entire security architecture is built around sandbox containment and defense in depth
If this bug only escapes containment, an attacker still generally needs a renderer-side primitive or compatible chain stage to matter operationally
No exploitation evidence lowers confidence that this is a broadly reliable escape today

Detection/coverage: EDR may catch post-escape process creation, injection, or policy violations. Traditional network IDS is poor coverage for the actual escape event.

STEP 04

Post-escape objective on the endpoint

If an attacker successfully escapes Chrome's sandbox, they can attempt credential theft, session theft, local persistence, or follow-on execution under the logged-in user's context. That is why this cannot be dismissed outright despite the downgrade.

Conditions required:

Successful escape on a user endpoint
Valuable sessions, tokens, or data available locally

Where this breaks in practice:

EDR, application control, MFA, and least-privilege still constrain downstream blast radius
Many enterprises already rotate browser versions rapidly through policy-managed auto-update

Detection/coverage: This is where defenders actually have the best chance: EDR telemetry, browser crash spikes, suspicious token access, and abnormal browser-spawned process trees.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found. CISA KEV does not currently list `CVE-2026-11207`, and no public campaign reporting was located.
KEV status	Not KEV-listed as of `2026-06-05`; there is no CISA due date because it is absent from the catalog.
Proof-of-concept availability	No public PoC located in quick public-source review. The Chromium bug reference exposed by NVD points to a restricted issue, which usually slows down copycat exploit development.
EPSS	`0.0009` from the user-provided intel, which is extremely low as a 30-day exploitation probability. I could not verify the percentile from available public source snippets, so I would not invent one.
CVSS vector and what it really means	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` says remote, low complexity, no privileges, but user interaction is required and the impact assumes a successful boundary crossing. That is exactly where paper severity overstates field severity.
Vendor vs enrichment severity	The `9.6/CRITICAL` visible in NVD is CISA-ADP enrichment, while the Chrome-origin description labels this Chromium security severity: Medium. For prioritization, I weight the vendor's architectural context higher than ADP's worst-case abstraction.
Affected versions	Google Chrome before `149.0.7827.53` is affected. Desktop rollout references `149.0.7827.53/.54` for Windows and Mac in the early stable wave, with matching Chrome 149 channel movement around `2026-05-29`.
Fixed versions	Google Chrome fixed build is `149.0.7827.53` or later. For downstream Chromium packages, distro backport timing varies; no authoritative Debian/Ubuntu backport entry for this exact CVE was found in public snippets at review time.
Exposure/scanning reality	Not Shodan/Censys-friendly. This is an endpoint browser flaw, not a listen-service, so internet-wide scanning is largely irrelevant; your real exposure data comes from endpoint inventory, browser management, and EDR software catalogs.
Disclosure and reporter	Public disclosure landed on `2026-06-04` in NVD. Reporter identity is not publicly visible from the restricted issue page available in public search results.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.2/10)

The decisive downgrade factor is that this is a sandbox-escape-style browser bug without public evidence that it stands alone as an initial access exploit. In enterprise reality, that means the attacker usually still needs a separate renderer-side foothold or exploit chain stage, and there is no KEV or active exploitation signal forcing emergency handling.

HIGH Downgrade from the published `9.6/CRITICAL` label

MEDIUM Exact standalone exploitability of the restricted Autofill bug

Why this verdict

Requires a user-driven browser reachability path: this is UI:R, so the attacker does not get unauthenticated server-side reach into your fleet the way they would with an exposed appliance or daemon.
Looks like a chain component, not clean initial access: a sandbox escape matters most after an attacker has already gained code execution or a strong primitive in the renderer/browser content path; that is major downward pressure on real-world severity.
No exploitation heat: no KEV listing, no public campaign reporting, and a very low EPSS (0.0009) all argue against emergency treatment.
Vendor context is calmer than the headline number: Chrome's own description tags the bug as *Chromium security severity: Medium*, while the 9.6 comes from CISA-ADP enrichment rather than Google's published severity language.
Exposure is broad but not perimeter-broad: Chrome is everywhere, which keeps this from dropping to LOW, but it is still endpoint/browser exposure managed by update rings rather than internet-facing mass exploitation surface.

Why not higher?

I am not taking this to HIGH or CRITICAL because the public evidence does not show active exploitation, KEV status, a public weaponized PoC, or proof that this flaw alone routinely converts web content into host compromise. The chain likely narrows through user interaction and exploit-stage dependencies, which is exactly the kind of compounding friction that should drag a CVSS-first score down.

Why not lower?

I am not pushing this to LOW because a successful browser sandbox escape on an employee endpoint is still strategically valuable. Chrome is ubiquitous, users browse untrusted content all day, and if an attacker does have a compatible chain, the impact can jump from page context to endpoint compromise.

05 · Compensating Control

What to do — in priority order.

Enforce browser auto-update — Use Chrome enterprise policy or your endpoint management stack to force update cadence and prevent version pinning. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but browsers are cheap to move, so this should ride your normal managed browser wave rather than linger.
Block unmanaged Chrome versions — Use device compliance or software inventory policy to flag and quarantine endpoints still running pre-149.0.7827.53 Chrome after your rollout. This helps especially with VDI gold images, kiosk builds, and long-lived laptops that miss silent updater events; again, for MEDIUM there is no mitigation SLA, so focus on finishing remediation inside the 365-day window.
Tighten web delivery controls — Keep Safe Browsing, DNS filtering, secure web gateway inspection, and ad/script control policies enabled because they reduce the chance users ever hit exploit delivery pages. These are worthwhile exposure reducers, but for this severity bucket they support normal remediation rather than an emergency compensating-control deadline.
Hunt browser-to-host breakouts — Create or tune detections for unusual Chrome child processes, browser-spawned shells, suspicious file writes from browser processes, and crash clusters around the disclosure window. This does not fix the bug, but it gives you the only meaningful chance to catch successful post-sandbox activity while remediation rolls through.

What doesn't work

WAF does not materially help because the vulnerable target is the client browser, not your web application perimeter.
Network vulnerability scanning will only tell you whether a Chrome version is installed if your agent sees it; it will not validate exploitability or catch the browser-side trigger path.
MFA alone does not stop endpoint compromise after a successful sandbox escape; it helps contain account abuse, not browser-to-host execution.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your EDR/remote execution platform. Invoke it with python3 check_chrome_cve_2026_11207.py on macOS/Linux or py check_chrome_cve_2026_11207.py on Windows; standard user rights are usually enough because it only reads version information from common install paths and the Windows registry.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# Check Google Chrome version for CVE-2026-11207 exposure
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import subprocess
import sys

FIXED = (149, 0, 7827, 53)


def norm(v):
    parts = [int(x) for x in re.findall(r'\d+', v)]
    while len(parts) < 4:
        parts.append(0)
    return tuple(parts[:4])


def ge(a, b):
    return a >= b


def run_cmd(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        if p.returncode == 0:
            return (p.stdout or p.stderr).strip()
    except Exception:
        pass
    return None


def windows_version():
    # Try registry first
    reg_paths = [
        r'HKLM\SOFTWARE\Google\Chrome\BLBeacon',
        r'HKLM\SOFTWARE\WOW6432Node\Google\Chrome\BLBeacon',
        r'HKCU\Software\Google\Chrome\BLBeacon',
    ]
    for path in reg_paths:
        out = run_cmd(['reg', 'query', path, '/v', 'version'])
        if out:
            m = re.search(r'version\s+REG_\w+\s+([^\r\n]+)', out, re.IGNORECASE)
            if m:
                return m.group(1).strip()

    # Fallback to executable version
    candidates = [
        os.path.expandvars(r'%ProgramFiles%\Google\Chrome\Application\chrome.exe'),
        os.path.expandvars(r'%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe'),
        os.path.expandvars(r'%LocalAppData%\Google\Chrome\Application\chrome.exe'),
    ]
    for exe in candidates:
        if exe and os.path.exists(exe):
            out = run_cmd([exe, '--version'])
            if out:
                return out
    return None


def mac_version():
    app = '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
    if os.path.exists(app):
        out = run_cmd([app, '--version'])
        if out:
            return out
    plist = '/Applications/Google Chrome.app/Contents/Info.plist'
    if os.path.exists(plist):
        out = run_cmd(['/usr/bin/defaults', 'read', plist, 'CFBundleShortVersionString'])
        if out:
            return out
    return None


def linux_version():
    for cmd in (['google-chrome', '--version'], ['google-chrome-stable', '--version'], ['chrome', '--version']):
        out = run_cmd(cmd)
        if out:
            return out
    for path in ('/opt/google/chrome/chrome', '/usr/bin/google-chrome', '/usr/bin/google-chrome-stable'):
        if os.path.exists(path):
            out = run_cmd([path, '--version'])
            if out:
                return out
    return None


def main():
    system = platform.system().lower()
    raw = None

    if 'windows' in system:
        raw = windows_version()
    elif 'darwin' in system:
        raw = mac_version()
    elif 'linux' in system:
        raw = linux_version()

    if not raw:
        print('UNKNOWN')
        sys.exit(2)

    m = re.search(r'(\d+\.\d+\.\d+\.\d+)', raw)
    if not m:
        print('UNKNOWN')
        sys.exit(2)

    found = norm(m.group(1))

    if ge(found, FIXED):
        print('PATCHED')
        sys.exit(0)
    else:
        print('VULNERABLE')
        sys.exit(1)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: treat this as a managed browser remediation item, not a fire drill. There is no noisgate mitigation SLA — go straight to the 365-day remediation window, but because Chrome is easy to move at scale, you should push your managed fleet to 149.0.7827.53+ in the next normal browser wave, verify stragglers through endpoint inventory, and close out unmanaged exceptions well before the noisgate remediation SLA limit of 365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.