CVE-2026-11222 · Incorrect security UI in Tab Strip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafte

01 · The Real Story

This is a fake storefront sign, not a lockpick for the building

CVE-2026-11222 is a security UI spoofing bug in Chrome's Tab Strip that affects Chrome before 149.0.7827.53 on Linux and before 149.0.7827.53/.54 on Windows and macOS. A remote attacker can host a crafted page that makes the browser present misleading domain information in the tab UI, creating a domain spoofing condition rather than code execution, sandbox escape, or data theft by itself.

Google's MEDIUM 6.5 label is defensible in pure CVSS terms because the flaw is remote and can mislead users, but it overstates the operational urgency for enterprise patch triage. The real-world attack still needs a full phishing chain: lure, user attention failure, credential capture or approval, and usually weak auth downstream. The bug improves phish credibility; it does not directly compromise the host.

"This is phishing camouflage, not endpoint compromise; patch it in normal Chrome hygiene, not as an emergency."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Prepare a spoofing page

The attacker builds a crafted web page designed to trigger the Tab Strip UI confusion and makes the tab appear to represent a more trusted domain than the page actually belongs to. Tooling is trivial here: a commodity phishing page or cloned login workflow is enough; the Chrome bug is just the polish layer.

Conditions required:

Victim is running vulnerable Chrome below 149.0.7827.53/54
Attacker can host arbitrary web content
The crafted UI condition reliably reproduces in the victim's browser window state

Where this breaks in practice:

This is not a one-click browser takeover; the attacker must first get the victim onto the page
UI spoofing bugs are often brittle across window size, tab state, zoom, locale, and future minor builds

Detection/coverage: Internet scanners will not find this. Version-based endpoint inventory can identify exposure, but scanners cannot validate the visual spoof condition remotely.

STEP 02

Lure the user to the page

The attacker still needs delivery through email, chat, ads, search poisoning, or another social channel. In practice this looks like a standard phishing campaign with a more convincing browser presentation layer.

Conditions required:

A user clicks or otherwise opens attacker-controlled content
The delivery channel bypasses mail filtering, safe browsing, or user skepticism

Where this breaks in practice:

Email security, safe-link rewriting, browser reputation systems, and user reporting all break the chain before the Chrome bug matters
Managed enterprises often suppress direct credential prompts behind SSO portals and conditional access

Detection/coverage: Secure email gateways, browser reputation telemetry, and web proxies are more likely to catch this step than a vulnerability scanner.

STEP 03

Exploit user trust in the tab label

Once the victim lands on the page, the attacker relies on the crafted Tab Strip state to make the user misread the page's identity. Tooling at this stage is usually just the phishing kit itself; the vulnerability's job is to reduce visual friction during user judgment.

Conditions required:

The victim relies on tab text or high-level browser chrome cues instead of carefully checking the full origin
The spoof survives the victim's display, theme, and UI configuration

Where this breaks in practice:

Users do not authenticate against tabs; they authenticate against workflows, IdP prompts, and MFA prompts
Omnibox checks, enterprise warning banners, password manager origin matching, and user familiarity with SSO flows reduce payoff

Detection/coverage: There is little host telemetry for the visual deception itself. Browser logging will usually show only a visit to a phishing domain, not a detectable CVE trigger.

STEP 04

Harvest credentials or approvals

Impact only materializes if the attacker pairs the UI spoof with a downstream credential theft or consent-grant flow, for example a fake IdP page or an Evilginx-style reverse-proxy phish. Without that second stage, the CVE produces confusion, not compromise.

Conditions required:

The target enters credentials, approves push MFA, or grants OAuth consent
The organization lacks phishing-resistant authentication or compensating IdP controls

Where this breaks in practice:

FIDO2/WebAuthn, device-bound passkeys, password managers, and conditional access sharply limit the value of a spoofed tab label
Even successful phish may be contained to one user session rather than leading to endpoint execution

Detection/coverage: Identity telemetry is the best detection point: impossible travel, new device sign-in, abnormal OAuth consent, MFA fatigue, and reverse-proxy indicators.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	As of 2026-06-05, I found no KEV entry and no authoritative Google or government advisory stating active exploitation.
Public PoC	I found no public PoC or exploit repo tied to `CVE-2026-11222` in quick web-visible results; current evidence points to a vendor-advisory-only disclosure state.
EPSS	User-supplied EPSS is 0.00022 (~0.022% 30-day exploitation probability). That is very low and consistent with low attacker enthusiasm for a UI-only phish amplifier.
KEV status	Not listed in CISA KEV as checked against the catalog on 2026-06-05; therefore no KEV remediation due date applies.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N` means remote reachability with required user interaction, no direct confidentiality loss, and integrity impact driven by user deception, not by code execution.
Affected versions	Chrome before 149.0.7827.53 on Linux and before 149.0.7827.53/.54 on Windows/macOS, per Google's stable-channel update and the Cyber Centre advisory.
Fixed versions	Fix landed in 149.0.7827.53 for Linux and 149.0.7827.53/.54 for Windows/macOS. Because Chrome auto-updates, the operational problem is usually update lag, not package availability.
Exposure/scanning reality	This is not internet-enumerable in the Shodan/Censys/FOFA sense because it's a client-side browser UI flaw. Exposure is measured through endpoint/browser inventory, not external attack-surface scanning.
Disclosure	Disclosed 2026-06-04 with public fix availability in the Chrome 149 train released 2026-05-29 to beta/early-stable channels.
Reporter / credit	I did not find a public researcher credit for this specific CVE in the sources reviewed. Treat attribution as not publicly surfaced yet.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.8/10)

The decisive factor is that this bug is not an initial-access primitive by itself; it only makes a phishing page look more believable. There is no host compromise, no sandbox escape, no memory corruption, and no evidence of active exploitation pushing this above routine browser patch hygiene.

HIGH This is a UI-spoofing/phishing-amplifier class issue, not direct endpoint compromise

MEDIUM No-public-exploitation assessment as of 2026-06-05

MEDIUM Affected-version and fixed-version mapping for desktop channels

Why this verdict

User interaction is mandatory: the attacker must first deliver a lure and get a user onto attacker-controlled content; that is classic phishing-chain friction, not wormable browser exploitation.
The implied attacker position is pre-compromise but low-leverage: unauthenticated remote is broad, but the bug's value only appears after the victim makes a trust decision. That sharply reduces real attacker ROI compared with Chrome RCEs.
The reachable population is broad, but the payoff is narrow: Chrome is everywhere, yet this CVE only buys visual deception in one app. It does not yield code execution, local privilege, or cross-host blast radius.
Modern controls should stop downstream abuse: safe browsing, email security, password-manager origin matching, IdP conditional access, and especially FIDO2/WebAuthn all cut off the actual compromise step.
Threat intel is cold: EPSS is extremely low, there is no KEV listing, and I found no authoritative exploitation signal. Starting from Google's 6.5 baseline, those are explicit downward adjustments.

Why not higher?

If this were a Chrome memory-corruption bug with no-click or visit-only exploitation, it would land much higher because Chrome is universal and attacker reach would be enormous. Here, the CVE only improves the believability of a phish; the attacker still has to win the human and identity-control layers.

Why not lower?

I am not calling this IGNORE because browser UI spoofing can still raise phish conversion rates in real enterprises, especially where passwords or push MFA remain in use. Chrome is widely deployed, so even a low-grade credibility booster can matter at scale if your identity stack is weak.

05 · Compensating Control

What to do — in priority order.

Enforce phishing-resistant auth — Prioritize FIDO2/WebAuthn, passkeys, or other origin-bound methods so a spoofed tab label cannot convert directly into credential reuse. For a LOW verdict there is no formal mitigation SLA, but this should remain a standing control objective rather than a CVE-specific emergency action.
Inventory Chrome laggards — Use endpoint management to find systems still below 149.0.7827.53/54 and verify auto-update health. For a LOW verdict there is no formal mitigation SLA; handle this as routine fleet hygiene in the next browser maintenance cycle.
Tighten browser-to-IdP trust cues — Lean on password managers, managed bookmarks, SSO shortcuts, IdP branding, and conditional access so users arrive through known-good flows instead of ad hoc links. For a LOW verdict there is no formal mitigation SLA, but these controls reduce the real payoff of UI-spoofing bugs across the board.
Hunt for phish outcomes, not CVE triggers — Monitor for reverse-proxy phish, suspicious OAuth grants, MFA fatigue, and anomalous sign-ins because those are the practical impacts this CVE would feed into. For a LOW verdict there is no formal mitigation SLA; integrate the hunts into normal identity-defense operations.

What doesn't work

EDR alone does not solve this because there is no malware execution requirement; the abuse path is social engineering plus browser presentation.
Network perimeter scanning does not help because this is not a server-side service you can fingerprint from outside.
Telling users to 'look at the tab' can backfire here; the flaw specifically targets that trust cue.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software-distribution/EDR script runner. Invoke with python3 check_chrome_cve_2026_11222.py on macOS/Linux or py -3 check_chrome_cve_2026_11222.py on Windows; no admin rights are normally required, though some locked-down registry or app paths may need elevated read access.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_chrome_cve_2026_11222.py
# Detect whether Google Chrome is below the fixed version for CVE-2026-11222.
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 1=vulnerable, 0=patched, 2=unknown

import os
import platform
import re
import subprocess
import sys

FIXED_WIN_MAC = (149, 0, 7827, 53)
FIXED_LINUX = (149, 0, 7827, 53)


def parse_version(s):
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', s or '')
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def version_lt(a, b):
    return a < b


def run_cmd(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        if p.returncode == 0:
            return p.stdout.strip() or p.stderr.strip()
    except Exception:
        pass
    return None


def get_windows_version():
    try:
        import winreg
    except ImportError:
        return None

    keys = [
        (winreg.HKEY_CURRENT_USER, r"Software\Google\Chrome\BLBeacon", "version"),
        (winreg.HKEY_LOCAL_MACHINE, r"Software\Google\Chrome\BLBeacon", "version"),
        (winreg.HKEY_LOCAL_MACHINE, r"Software\WOW6432Node\Google\Chrome\BLBeacon", "version"),
    ]

    for hive, path, value_name in keys:
        try:
            with winreg.OpenKey(hive, path) as key:
                val, _ = winreg.QueryValueEx(key, value_name)
                v = parse_version(str(val))
                if v:
                    return v
        except OSError:
            continue

    candidates = [
        os.path.expandvars(r"%ProgramFiles%\Google\Chrome\Application\chrome.exe"),
        os.path.expandvars(r"%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe"),
        os.path.expandvars(r"%LocalAppData%\Google\Chrome\Application\chrome.exe"),
    ]
    for exe in candidates:
        if exe and os.path.exists(exe):
            out = run_cmd([exe, "--version"])
            v = parse_version(out or "")
            if v:
                return v
    return None


def get_macos_version():
    app = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
    if os.path.exists(app):
        out = run_cmd([app, "--version"])
        v = parse_version(out or "")
        if v:
            return v
    return None


def get_linux_version():
    candidates = [
        ["google-chrome", "--version"],
        ["google-chrome-stable", "--version"],
        ["chromium-browser", "--version"],
        ["chromium", "--version"],
        ["/opt/google/chrome/chrome", "--version"],
        ["/usr/bin/google-chrome", "--version"],
        ["/usr/bin/google-chrome-stable", "--version"],
    ]
    for cmd in candidates:
        out = run_cmd(cmd)
        v = parse_version(out or "")
        if v:
            return v
    return None


def main():
    system = platform.system().lower()
    if system == "windows":
        v = get_windows_version()
        fixed = FIXED_WIN_MAC
    elif system == "darwin":
        v = get_macos_version()
        fixed = FIXED_WIN_MAC
    elif system == "linux":
        v = get_linux_version()
        fixed = FIXED_LINUX
    else:
        print("UNKNOWN")
        return 2

    if not v:
        print("UNKNOWN")
        return 2

    if version_lt(v, fixed):
        print("VULNERABLE")
        return 1

    print("PATCHED")
    return 0


if __name__ == "__main__":
    sys.exit(main())

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not burn emergency change windows on this one. Use endpoint inventory to find Chrome builds below 149.0.7827.53/54, verify auto-update is actually working, and fold the fixes into your next standard browser rollout ring. For a LOW verdict, the noisgate mitigation SLA is no SLA, and the noisgate remediation SLA is backlog hygiene rather than a dated emergency deadline; if you already operate staged Chrome rings, clear the laggards in the next normal maintenance cycle and spend your immediate attention on identity controls that blunt phishing success.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.