CVE-2026-11231 · Inappropriate implementation in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary

01 · The Real Story

This is a booby-trapped package that still has to make it through the mailroom

CVE-2026-11231 is a macOS-only Chrome client bug in Safe Browsing. Affected systems are Google Chrome on Mac before 149.0.7827.53; Google’s June 2, 2026 stable release moved macOS to 149.0.7827.53/54, and the CVE was then published in external feeds on June 4-5, 2026. The described outcome is arbitrary code execution, but the trigger is not a raw network service hit — the attacker needs the victim to handle a malicious file through Chrome’s vulnerable path.

The vendor’s HIGH 8.1 CVSS is directionally understandable because code execution in a browser is never trivial, but it overshoots the operational risk for enterprise patch triage. The big downgrade drivers are user interaction, malicious-file delivery, macOS-only scope, client-side non-routable exposure, no KEV listing, no public exploit, and a near-zero EPSS. Chrome’s own release note even tags the underlying Chromium bug as Low severity, which is a strong hint that the CVSS math is describing impact in a vacuum rather than reachability in the real world.

"Real bug, real code-exec impact, but the attack has too many chokepoints to treat like a fleet-wide fire"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a malicious file to a Mac Chrome user

The attacker needs a delivery mechanism such as phishing, a drive-by download, or a lure site to place a crafted file in front of a victim using Chrome on macOS. In practice this is usually commodity delivery tooling like GoPhish campaigns, fake-update lures, or download pages rather than a purpose-built exploit framework for this CVE. There is no public PoC tied to CVE-2026-11231 so the weaponization burden starts here.

Conditions required:

Target uses Google Chrome on macOS
Chrome version is earlier than 149.0.7827.53
Attacker can get the user to download or otherwise process a malicious file

Where this breaks in practice:

Email security, browser download warnings, and user suspicion break a lot of campaigns before the bug matters
Windows and Linux Chrome populations are irrelevant to this CVE
Enterprises with managed browser auto-update shrink the vulnerable population quickly

Detection/coverage: Good coverage from email gateways, secure web gateways, attachment detonation, and endpoint telemetry on suspicious downloads. Vulnerability scanners can usually identify browser version, but not whether the exact Safe Browsing path is realistically reachable.

STEP 02

Trigger the vulnerable Safe Browsing path

The malicious file has to hit the specific Safe Browsing implementation flaw on macOS. That is materially narrower than the classic 'visit a page and get popped' browser bug pattern because exploitation depends on file handling behavior, not just socket reachability. The absence of public exploit details suggests attackers still need private research to turn the bug into something reliable.

Conditions required:

Victim interacts with or downloads the attacker-controlled file through Chrome
Safe Browsing processing reaches the flawed code path on macOS

Where this breaks in practice:

Not every download path or file type will necessarily hit the vulnerable logic
Chrome bug details are restricted pending patch uptake, which slows copycat exploit development
Modern endpoint controls often quarantine suspicious files before browser-side processing becomes relevant

Detection/coverage: Weak direct signature coverage for the vulnerability itself because technical details are restricted. Best detection comes from download telemetry, file reputation events, and unusual Chrome child-process behavior.

STEP 03

Gain code execution in the Chrome user context

If exploitation succeeds, the attacker gets arbitrary code execution associated with the browser process and the logged-in user context. That is serious on the endpoint, but it is still a client compromise, not an unauthenticated remote takeover of an internet-facing server. Post-exploitation would typically pivot to commodity macOS tradecraft such as osascript, LaunchAgents, credential theft, or browser data collection.

Conditions required:

Exploit is reliable against the victim’s Chrome/macOS build
Endpoint defenses do not block the payload after execution

Where this breaks in practice:

EDR on macOS is very capable at catching browser-spawned payloads and persistence moves
macOS security controls and user-context execution limit immediate blast radius versus a server-side RCE
Enterprise browsers are usually rapidly updated, reducing shelf life

Detection/coverage: Strong downstream detection from EDR: suspicious Chrome child processes, LaunchAgent creation, AppleScript abuse, credential store access, and browser data theft patterns.

STEP 04

Convert one endpoint foothold into broader impact

The attacker still has to cash out the endpoint compromise into data theft, lateral movement, or persistence. That is no longer the CVE doing the work; it is standard post-compromise tradecraft. In a 10,000-host estate, this means the vulnerability is best treated as a phishing-adjacent endpoint entry point, not as a fleet-wide edge-exposure emergency.

Conditions required:

Victim has valuable data or reusable enterprise credentials
Lateral movement paths exist beyond the initially compromised Mac

Where this breaks in practice:

MFA, conditional access, device trust, and segmented admin access blunt follow-on value
Single-user blast radius is much smaller than a perimeter appliance or identity tier bug

Detection/coverage: High confidence detection opportunity after exploitation through identity telemetry, EDR, and anomalous access monitoring.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found and not in CISA KEV as checked against the KEV catalog. This materially lowers urgency versus Chrome zero-days that ship with active-exploitation language.
Public exploit / PoC	No public PoC located in current searches. Google is still restricting bug details in the release notes, which usually slows fast follower weaponization.
EPSS	0.00034 (~0.034%) from the prompt, which is effectively floor-level risk. That lines up with a bug that is technically meaningful but operationally hard to monetize at scale.
KEV status	Not KEV-listed. No CISA due date applies.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N` — the key word is UI:R. The impact is real, but the score assumes the user-interaction chokepoint is cheap, which is not always true in managed fleets.
Affected versions	Chrome on macOS before 149.0.7827.53. This is not a cross-platform Chrome desktop issue in the title you provided.
Fixed versions	Google’s June 2, 2026 stable release moved desktop Chrome to 149.0.7827.53 (Linux) and 149.0.7827.53/54 (Windows/Mac). For this CVE, the relevant macOS fix floor is 149.0.7827.53.
Exposure / scanability	Not meaningfully internet-enumerable via Shodan/Censys/FOFA because this is a client-side browser flaw, not a routable service. Your real exposure metric is managed Mac Chrome version inventory, not external attack-surface counts.
Disclosure timeline	Patch shipped in Google’s stable update on 2026-06-02; the CVE appeared in public CVE tracking on 2026-06-04/05 depending on the feed. Use the vendor ship date for remediation planning, not the later mirror dates.
Reporter / provenance	Google’s release note lists it as reported by Google on 2026-03-24 and classifies the Chromium security severity as Low, despite the vendor CVSS being HIGH 8.1.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.6/10)

The decisive downgrade factor is that this is a client-side, macOS-only, malicious-file + user-interaction chain rather than an internet-facing service bug. You are defending against a narrower endpoint entry path with no current exploitation evidence, not a remotely reachable fleet-wide takeover condition.

HIGH Affected version and patch floor

MEDIUM Exploitability assessment without public technical details

HIGH Downgrade due to attacker-position and exposure friction

Why this verdict

Down from 8.1 because the attacker does not hit a routable service — this is a browser client bug, so there is no Shodan-scale external exposure population to treat as edge risk
Down again because it requires user interaction with a malicious file — UI:R is not a footnote here; it means the exploit chain depends on delivery success through mail/web controls and user behavior
Down again because it is macOS-only — in most enterprise fleets that is a minority slice, so the reachable population is much smaller than 'all Chrome users'
Down again because there is no KEV listing, no public PoC, and extremely low EPSS — threat evidence does not support emergency treatment
Not lower because successful exploitation still lands arbitrary code execution on an endpoint — if it hits a privileged or high-value user, the follow-on damage can still be expensive

Why not higher?

A higher rating would require at least one strong amplifier that is missing here: active exploitation, a public reliable PoC, no-user-interaction reachability, or broad cross-platform exposure. Instead, the chain compounds friction at every step: Mac-only, malicious file, user action, then post-execution controls on the endpoint.

Why not lower?

It is still a bona fide code-execution bug in a widely deployed browser, not a cosmetic policy bypass. Even with a narrow trigger, one phished executive MacBook is enough to make this a real incident, so dropping it to LOW or IGNORE would understate the endpoint impact.

05 · Compensating Control

What to do — in priority order.

Enforce rapid Chrome auto-update on managed Macs — Make sure enterprise management is not deferring Chrome stable updates on macOS and verify that devices are allowed to move to 149.0.7827.53+. For a MEDIUM noisgate verdict there is no mitigation SLA — go straight to the 365-day remediation window, but browsers should still ride the normal accelerated update channel because the fix is already in stable.
Block risky file delivery patterns — Tighten mail and web controls for suspicious archives, disk images, and low-reputation downloads that target Mac users. This is the highest-value choke point because the exploit needs a malicious file first; with a MEDIUM verdict there is no separate mitigation deadline, so use this as immediate risk reduction while you complete patching inside the remediation window.
Harden macOS endpoint response to browser-spawned payloads — Tune EDR to alert on Chrome spawning unusual child processes, AppleScript execution, LaunchAgent persistence, and credential-store access. That contains the real damage path after exploitation and is especially useful where browser version drift exists.
Prioritize high-value Mac cohorts — Focus version verification and update enforcement on admins, developers, finance, and executives using managed Macs. The CVE is not broad enough for a fleet panic, but it is absolutely worth closing first on users whose browser sessions carry privileged access.

What doesn't work

A network perimeter block alone does not solve this because the vulnerable surface is a local browser handling a delivered file, not a server listening on the edge
MFA helps with post-compromise account abuse, but it does not prevent the initial browser-side code execution
Relying on Safe Browsing itself is not enough here because the bug lives in that processing area
External attack-surface scans will not tell you much; this is inventory and endpoint hygiene, not exposure management through internet scanning

06 · Verification

Crowdsourced verification payload.

Run this on the target Mac endpoint or through your Mac management agent. Invoke it as bash check_chrome_cve_2026_11231.sh "/Applications/Google Chrome.app"; it needs only normal user rights to read the app bundle version and prints VULNERABLE, PATCHED, or UNKNOWN with an exit code.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/bin/bash
# check_chrome_cve_2026_11231.sh
# Determine whether Google Chrome on macOS is vulnerable to CVE-2026-11231
# Affected: Google Chrome on Mac prior to 149.0.7827.53
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

APP_PATH="${1:-/Applications/Google Chrome.app}"
REQUIRED_VERSION="149.0.7827.53"

if [[ "$(uname -s)" != "Darwin" ]]; then
  echo "UNKNOWN: This script is for macOS targets only"
  exit 2
fi

if [[ ! -d "$APP_PATH" ]]; then
  echo "UNKNOWN: Chrome app not found at $APP_PATH"
  exit 2
fi

PLIST="$APP_PATH/Contents/Info.plist"
if [[ ! -f "$PLIST" ]]; then
  echo "UNKNOWN: Info.plist not found at $PLIST"
  exit 2
fi

get_version() {
  /usr/libexec/PlistBuddy -c 'Print :KSVersion' "$PLIST" 2>/dev/null || \
  /usr/libexec/PlistBuddy -c 'Print :CFBundleShortVersionString' "$PLIST" 2>/dev/null || \
  defaults read "$APP_PATH/Contents/Info" KSVersion 2>/dev/null || \
  defaults read "$APP_PATH/Contents/Info" CFBundleShortVersionString 2>/dev/null
}

normalize_version() {
  local v="$1"
  IFS='.' read -r a b c d <<< "$v"
  a=${a:-0}; b=${b:-0}; c=${c:-0}; d=${d:-0}
  printf '%d.%d.%d.%d\n' "$a" "$b" "$c" "$d"
}

version_lt() {
  local v1 v2 IFS=.
  read -r -a v1 <<< "$(normalize_version "$1")"
  read -r -a v2 <<< "$(normalize_version "$2")"
  for i in 0 1 2 3; do
    if (( v1[i] < v2[i] )); then
      return 0
    elif (( v1[i] > v2[i] )); then
      return 1
    fi
  done
  return 1
}

CURRENT_VERSION="$(get_version | head -n1 | tr -d '[:space:]')"

if [[ -z "$CURRENT_VERSION" ]]; then
  echo "UNKNOWN: Unable to determine Chrome version"
  exit 2
fi

if version_lt "$CURRENT_VERSION" "$REQUIRED_VERSION"; then
  echo "VULNERABLE: Chrome version $CURRENT_VERSION is earlier than $REQUIRED_VERSION"
  exit 1
else
  echo "PATCHED: Chrome version $CURRENT_VERSION is $REQUIRED_VERSION or newer"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like an edge-device fire drill; treat it like a targeted Mac endpoint browser risk. Pull your managed Mac Chrome inventory, identify anything below 149.0.7827.53, and close the gap through your normal browser rollout process. For a MEDIUM reassessment there is no noisgate mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is ≤ 365 days. In practice, because the fixed build is already on stable and browser updates are low-friction, you should absorb this into the next managed Chrome wave and verify high-value Mac users first.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.