CVE-2026-11224 · Use after free in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malici

01 · The Real Story

This is a loaded nail gun left in a side room, not a landmine in the lobby

CVE-2026-11224 is a CWE-416 use-after-free in Chrome's Chromoting component on Linux. The affected range is Google Chrome on Linux before 149.0.7827.53; Google promoted 149.0.7827.53 to Stable for Linux on 2026-06-02, and NVD published the CVE on 2026-06-04. The bug is described as remote code execution via malicious network traffic, which means the vulnerable code path is reached through Chrome's remote-desktop/remoting stack rather than a generic web page render path.

Vendor scoring overstates the enterprise patch emergency here. 8.1/HIGH is fair in a lab because unauthenticated remote memory corruption can end in code execution, but in production this is Linux-only, tied to the Chromoting feature path, not broadly internet-enumerable like an appliance bug, and currently has no KEV listing, no public exploitation evidence, and a very low EPSS (0.00159). Google also labels the bug Low in its release notes, which better matches the real deployment friction than the abstract CVSS math.

"Technically nasty, operationally narrow: Linux-only Chromoting RCE with low real-world reach."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable Linux target using Chromoting

The attacker first needs a Linux endpoint running vulnerable Chrome and a reachable Chromoting/Chrome Remote Desktop path. In practice this is not a mass internet scan problem; the attacker usually needs prior knowledge of the target fleet, an already-compromised internal foothold, or a remote-support workflow that exposes the feature.

Conditions required:

Google Chrome on Linux earlier than 149.0.7827.53
Chromoting/remote desktop functionality present and reachable
Network path to the target endpoint or active remoting session

Where this breaks in practice:

Most enterprise Chrome installs are not exposing a public listener that Shodan/Censys can cleanly fingerprint
Linux desktop population is smaller than Windows in many enterprises
Many fleets do not enable Chrome Remote Desktop at scale

Detection/coverage: Exposure is mostly inventory-driven, not scanner-driven. Version scanners can flag Chrome builds; network scanners will have poor fidelity because the vulnerable condition is feature/state dependent.

STEP 02

Drive the vulnerable protocol state

The attacker must send crafted network traffic that reaches the vulnerable Chromoting code path. That likely means implementing enough of the remoting signaling/transport flow to hit the exact allocator state needed for the use-after-free.

Conditions required:

Ability to speak the relevant Chromoting protocol flow
A custom exploit or bug-specific harness
The target must process attacker-controlled traffic in the vulnerable feature path

Where this breaks in practice:

Google has restricted bug details until most users are updated
Protocol/state requirements usually kill copy-paste exploitation
NAT, host firewalls, VPN boundaries, and remote-access policy often break reachability

Detection/coverage: IDS coverage is likely weak unless you already inspect remote-support traffic patterns. Chrome/Chromoting crash telemetry is more realistic than signature-based network detection.

STEP 03

Exploit the use-after-free reliably

A CWE-416 is capable of code execution, but turning a crash into reliable RCE on modern Chrome/Linux is non-trivial. Heap grooming, build-specific offsets, allocator behavior, and Chrome hardening all raise the exploit-development bar.

Conditions required:

Exact vulnerable build
Stable exploit primitive for this bug
Sufficient understanding of Chrome's Linux memory layout/hardening

Where this breaks in practice:

Vendor CVSS itself marks attack complexity as H
Memory-corruption exploits often crash before they execute
Chrome sandboxing and process isolation may limit initial impact depending on the code path

Detection/coverage: EDR can often catch the side effects: repeated chrome crashes, abnormal chrome child processes, unexpected coredumps, or seccomp/sandbox denials.

STEP 04

Turn process access into useful impact

If exploitation succeeds, the attacker gets code execution in the vulnerable process context, but the operational value depends on what that process can access. On a Linux admin workstation or shared support box, that can still be meaningful; on a locked-down user endpoint, follow-on privilege escalation or credential access may be required.

Conditions required:

Successful code execution
A target with useful data, tokens, or lateral movement value
Lack of endpoint controls preventing post-exploitation

Where this breaks in practice:

Initial execution may be sandboxed or low privilege
Persistence and lateral movement are separate problems
Modern EDR usually sees suspicious child-process and credential-access behavior

Detection/coverage: Watch for chrome or chrome-remote-desktop spawning shells, interpreters, downloaders, or touching credential stores. Endpoint telemetry is the best control plane here.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public in-the-wild exploitation evidence found in the reviewed sources, and the CVE is not listed in CISA KEV.
Public PoC status	No public PoC located in broad web/GitHub-style searches at assessment time; Google also states bug details may remain restricted until the majority of users are updated.
EPSS	`0.00159` (user-supplied), which is very low and points away from near-term commodity exploitation. Percentile was not independently verified from FIRST in this environment.
KEV status	Not in CISA KEV as of this reassessment. That removes the strongest urgency amplifier.
CVSS vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` — the important part is `AC:H`; the exploit chain is remote and serious if reachable, but reliability and setup are not trivial.
Affected versions	Google Chrome on Linux before `149.0.7827.53`.
Fixed version	Google promoted Chrome `149.0.7827.53` for Linux to Stable on 2026-06-02. Distro Chromium backports may differ and should be validated per distro maintainer advisory.
Exposure/scanning reality	This is endpoint software, not a classic internet-facing appliance. Shodan/Censys-style exposure metrics are not a reliable way to measure reachable population; asset inventory and Linux desktop/remoting usage data matter more.
Disclosure timeline	Chrome Stable advisory published 2026-06-02; CVE published by NVD on 2026-06-04; CISA-ADP CVSS update recorded 2026-06-05.
Reporting source	Chrome release notes attribute discovery to David Bors and Catalin Iovita, reported on 2026-04-14.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.9/10)

The decisive factor is reachability friction: this is a Linux-only bug in Chrome's Chromoting path, not a generic drive-by browser bug or a broadly internet-enumerable server flaw. That sharply narrows exposed population and makes the vendor's abstract 8.1 score too hot for enterprise-wide patch triage.

HIGH Affected version range and fixed version

MEDIUM Real-world exploitability and reachable population

MEDIUM Absence of public exploitation evidence at assessment time

Why this verdict

Downward adjustment: Linux-only scope cuts the exposed fleet materially versus a cross-platform Chrome bug.
Downward adjustment: feature-specific reachability means the attacker needs the Chromoting path, not just any browser tab or public web endpoint.
Downward adjustment: high attack complexity is explicit in the current CVSS vector and is typical for reliable modern Chrome memory-corruption exploitation.
Downward adjustment: no KEV, no public campaign data, no public PoC found removes the strongest real-world urgency signals.
Upward adjustment: impact is still real because a remote unauthenticated memory corruption that can become code execution on a managed endpoint is not backlog noise.

Why not higher?

It is not higher because the path assumes a much narrower attacker position than the score headline suggests: the attacker needs a reachable Linux target using the vulnerable Chromoting flow, then must land a high-complexity memory-corruption exploit. That is worlds apart from a web-facing edge appliance bug or an every-user drive-by renderer issue.

Why not lower?

It is not lower because, where the feature is enabled and reachable, the bug can plausibly end in remote code execution without credentials. Linux engineering workstations, support boxes, and shared admin desktops can still have meaningful blast radius even if population-wide exposure is limited.

05 · Compensating Control

What to do — in priority order.

Disable Chromoting where it is not required — Remove or disable Chrome Remote Desktop/Chromoting on Linux endpoints that do not need it. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this is the highest-value compensating control for high-risk Linux admin and support workstations.
Constrain remote-support network paths — Restrict outbound and inbound remoting/signaling traffic to approved brokers, VPN paths, and managed support subnets. This reduces the chance that arbitrary external traffic can ever reach the vulnerable code path; use it where patch deployment on Linux desktops lags.
Prioritize high-value Linux desktops — Flag developer workstations, jump boxes with GUI sessions, SOC analyst Linux desktops, and remote support endpoints for earlier patching. The bug is population-narrow, so the right move is to front-load the small number of Linux systems that actually matter.
Hunt for Chrome crash and child-process anomalies — Alert on repeated chrome or chrome-remote-desktop crashes, coredumps, and unexpected child processes such as shells, scripting engines, or download tools. This will not prevent exploitation, but it improves the odds of catching exploit development attempts and failed weaponization.

What doesn't work

A WAF does nothing useful here; this is not a web application edge issue.
Email filtering is not a primary control because the described trigger is malicious network traffic in a remoting component, not a phishing attachment chain.
Generic browser hardening policies help only marginally if Chromoting remains enabled and reachable; the narrow feature path is the real problem.
Internet exposure scanning alone will miss most of the risk because Chrome desktop endpoints are not measured like appliances.

06 · Verification

Crowdsourced verification payload.

Run this on the Linux target host itself or through your endpoint management agent. Invoke as bash check_cve_2026_11224.sh; it needs no root privileges. It checks Google Chrome version locally and returns VULNERABLE, PATCHED, or UNKNOWN with exit codes for automation.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_11224.sh
# Detects whether Google Chrome on Linux is vulnerable to CVE-2026-11224
# Affected: Google Chrome on Linux < 149.0.7827.53
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

FIXED="149.0.7827.53"
FOUND_BIN=""
FOUND_VER=""

candidates=(
  "/usr/bin/google-chrome"
  "/usr/bin/google-chrome-stable"
  "/opt/google/chrome/google-chrome"
)

for bin in "${candidates[@]}"; do
  if [ -x "$bin" ]; then
    FOUND_BIN="$bin"
    break
  fi
done

if [ -z "$FOUND_BIN" ]; then
  echo "UNKNOWN: Google Chrome binary not found in standard locations; this script only assesses Google Chrome on Linux."
  exit 2
fi

raw_ver="$($FOUND_BIN --version 2>/dev/null || true)"
FOUND_VER="$(printf '%s' "$raw_ver" | grep -Eo '[0-9]+(\.[0-9]+){3}' | head -n1)"

if [ -z "$FOUND_VER" ]; then
  echo "UNKNOWN: Unable to parse Chrome version from: $raw_ver"
  exit 2
fi

ver_lt() {
  # returns 0 if $1 < $2
  if command -v dpkg >/dev/null 2>&1; then
    dpkg --compare-versions "$1" lt "$2"
    return $?
  fi
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ] && [ "$1" != "$2" ]
}

if ver_lt "$FOUND_VER" "$FIXED"; then
  echo "VULNERABLE: Google Chrome version $FOUND_VER is older than fixed version $FIXED ($FOUND_BIN)"
  exit 1
fi

echo "PATCHED: Google Chrome version $FOUND_VER is at or above fixed version $FIXED ($FOUND_BIN)"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like an internet-edge fire drill across 10,000 hosts. Use asset inventory to find Linux endpoints with Google Chrome and any Chromoting/Chrome Remote Desktop usage, patch those systems to 149.0.7827.53 or later in the normal Linux client cycle, and give earlier attention to admin, engineering, and support desktops that actually use remoting. Under the noisgate mitigation SLA, there is no mitigation SLA — go straight to the 365-day remediation window; under the noisgate remediation SLA, complete patching by 2027-06-04. If you discover externally reachable or business-critical Linux remoting endpoints, accelerate them into the current maintenance cycle even though the fleet-wide verdict stays MEDIUM.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.