CVE-2026-11245 · Inappropriate implementation in Payments in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a craf

01 · The Real Story

This is a fake cashier window, not a hole in the vault

Per the supplied intel, CVE-2026-11245 is an *inappropriate implementation* flaw in Payments in Google Chrome that affects versions prior to 149.0.7827.53 and enables UI spoofing via a crafted HTML page. That puts this squarely in the CWE-451 family: the browser can present misleading trust or payment-related UI badly enough that a malicious page can impersonate something the user should trust. Based on the provided CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, this is remote and low-complexity, but it still depends on the victim being tricked into interacting with the spoofed flow.

The vendor's MEDIUM 4.3 baseline is slightly generous for enterprise patch prioritization. In real fleets, this is not remote code execution, not sandbox escape, not credential dumping, and not a direct browser-to-host compromise; it is a social-engineering multiplier that makes payment or consent prompts more believable. Chrome's install base is enormous, which keeps it above IGNORE, but the combination of user interaction, integrity-only impact, no KEV listing, and very low EPSS pushes this down to LOW for patch-triage purposes.

"This is a phishing amplifier in a huge client footprint, not a breakout bug or wormable browser compromise."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a crafted payment-themed page

The attacker uses a phishing kit, malvertising landing page, or compromised site to get a target into Chrome and load attacker-controlled HTML. The bug lives in the browser's Payments-related UI handling, so the page must steer the user into a flow where trust in browser-rendered payment chrome matters.

Conditions required:

Target is using Google Chrome before 149.0.7827.53
Attacker can get the target to visit attacker-controlled web content
The target reaches a payment or payment-adjacent interaction path

Where this breaks in practice:

This is client-side, so there is no internet-facing daemon to mass-scan and auto-exploit
Many users never hit the specific Payments flow during ordinary browsing
Secure web gateways, URL filtering, and browser isolation cut down lure delivery

Detection/coverage: Traditional vuln scanners can inventory Chrome version, but they cannot prove exploitability of the UI condition itself. Web proxy, secure web gateway, and phishing telemetry are more useful than network scanners here.

STEP 02

Trigger misleading browser/payment UI

The crafted page abuses the Payments implementation flaw to render a convincing spoof of trusted UI or payment-state information. In practice, the attacker is trying to blur the line between page content and browser-trusted affordances so the victim misreads what they are approving.

Conditions required:

The vulnerable code path is reachable from page content
The browser renders the spoof in a way the user finds credible

Where this breaks in practice:

Chrome's general security UX work and hardened browser UI design reduce how often spoofing lands cleanly
Small rendering differences, enterprise branding, or user hesitation often break the phish

Detection/coverage: EDR rarely has semantic visibility into browser UI spoofing. Browser crash telemetry is usually irrelevant because this is not a memory-corruption failure mode.

STEP 03

Social-engineer the click or approval

The attacker still needs the human to act: click, confirm, continue, or trust what appears to be a legitimate payment indicator. That human step is the decisive friction point and is why this is not in the same class as a drive-by compromise.

Conditions required:

User interaction occurs
The victim interprets the spoofed UI as legitimate

Where this breaks in practice:

User skepticism, transaction review habits, and anti-phishing training disrupt conversion
Mature organizations often require out-of-band purchase approval or card controls that limit abuse

Detection/coverage: Email security, browser telemetry, and transaction monitoring may catch the lure or downstream fraud, but the click itself often looks like normal browsing.

STEP 04

Exploit trust to alter a user decision

If successful, the likely outcome is a bad user decision: approving an action, trusting a false payment state, or disclosing information in a page that appears more trustworthy than it is. The impact is primarily integrity harm at the user or transaction layer, not host takeover.

Conditions required:

The spoof influences a security-relevant or payment-relevant decision
Downstream business controls do not block the bad action

Where this breaks in practice:

Fraud monitoring, card controls, and business-process checks can limit final damage
The blast radius is usually one user session or transaction at a time

Detection/coverage: Detection usually shows up in fraud analytics, helpdesk reports, or phishing investigations rather than exploit telemetry.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence located and not KEV-listed based on the supplied intel and current review of CISA's catalog.
Proof-of-concept availability	No public PoC located. Chrome release notes also note that bug details are often restricted until most users are updated, which commonly suppresses early exploit writeups.
EPSS	0.00022 per supplied intel, which is extremely low. I did not independently verify the percentile for this exact CVE.
KEV status	No. CISA KEV has no current listing for this CVE.
CVSS vector readout	`AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` means remote delivery, no auth, but user interaction required, with integrity-only impact and no confidentiality or availability impact.
Affected versions	Supplied intel says Google Chrome prior to 149.0.7827.53. Chrome's June 2, 2026 desktop stable release moved Linux to 149.0.7827.53 and Windows/Mac to 149.0.7827.53/.54.
Fixed versions	Use 149.0.7827.53 or later as the minimum safe floor for fleet policy; Windows/Mac stable release notes show 149.0.7827.53/.54 and Linux 149.0.7827.53.
Scanning/exposure reality	Shodan/Censys-style exposure data is mostly irrelevant here because this is a client browser flaw, not a server-side listening service. Exposure scales with your managed Chrome endpoint count, not internet-facing socket count.
Disclosure date	2026-06-05 per supplied intel. Chrome 149 stable desktop shipped on 2026-06-02, which is consistent with a post-release public disclosure cadence.
Comparable precedent	Chrome previously shipped a closely related Payments UI spoofing bug, CVE-2025-0442, also rated Medium by Chromium release notes. That precedent supports treating this as a recurring trust/UI issue rather than a system-compromise bug.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.2/10)

The decisive downgrade factor is required human interaction in a spoofing scenario, which makes this a phishing-force-multiplier rather than a direct compromise primitive. Even on a massive Chrome footprint, the blast radius is usually bounded to the users who can be lured into a specific payment-adjacent flow, and the technical impact remains integrity-only.

HIGH User-interaction and impact-based downgrade from MEDIUM to LOW

MEDIUM Exact exploit mechanics for this specific CVE, because public bug details were not independently located

Why this verdict

User interaction required: the supplied vector includes UI:R, which means the exploit chain still depends on a human being fooled into acting; that is a major real-world downgrade from purely technical browser compromise.
Integrity-only impact: the supplied vector shows C:N/I:L/A:N, so this does not directly expose data, execute code, or crash hosts. The main harm is manipulating a decision or trust signal.
Client-side reachability is narrower than the install base suggests: yes, Chrome is everywhere, but this is not an unauthenticated service you can sweep with mass scanners. It only matters on endpoints that both browse to attacker content and hit the vulnerable Payments UI path.
No exploitation pressure signals: no KEV entry, no public PoC located, and an EPSS of 0.00022 all argue against emergency handling.
Comparable Chrome history points to nuisance-class browser security UX bugs: prior Payments/UI spoofing issues in Chrome have landed in the medium-to-low practical risk band rather than the breakout/RCE band.

Why not higher?

There is no evidence here of code execution, sandbox escape, privilege gain, persistence, or confidentiality impact. The attacker must both deliver the lure and win the human decision, which is materially different from a browser bug that compromises the endpoint on page load.

Why not lower?

This still lives in Chrome, one of the highest-volume enterprise clients you own, and it targets payment trust cues, which can convert directly into fraud or bad approvals. A browser trust-boundary failure with broad fleet prevalence deserves tracking and patching, even if it is not an urgent fire drill.

05 · Compensating Control

What to do — in priority order.

Force browser auto-update — Use managed Chrome policies and endpoint management to keep stable-channel updates flowing without waiting for user action. For a LOW noisgate verdict there is no SLA; treat this as backlog hygiene and fold it into your standard browser update cadence.
Route risky browsing through SWG or RBI — Apply secure web gateway filtering or remote browser isolation for untrusted categories, newly registered domains, and payment-themed lures to cut off delivery before the spoof is rendered. For LOW, there is no SLA; deploy where you already have the stack rather than launching a net-new emergency project.
Harden payment workflows — Require out-of-band approval, transaction review, and card-use controls for sensitive purchasing flows so a misleading browser prompt does not directly become a fraudulent payment. For LOW, there is no SLA; prioritize this in business units that use browser-based procurement heavily.
Trim stored payment surfaces — Reduce reliance on browser-stored payment methods and auto-fill for high-risk populations if your risk model allows it, because fewer embedded payment affordances means less value in spoofing them. For LOW, there is no SLA; apply selectively to finance, procurement, and admin cohorts.

What doesn't work

MFA does not meaningfully stop a user from being tricked by spoofed payment UI because the problem is trust in what the browser is showing, not account-login weakness.
EDR alone is weak here because there may be no payload, no exploit crash, and no post-exploitation artifact; a successful session can look like normal browsing followed by a bad user decision.
Network perimeter scanning will not find exploitability because this is not a server-side exposed service. Version inventory matters more than exposure scanning.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software inventory/remote execution platform. Invoke it with python3 check_chrome_cve_2026_11245.py on macOS/Linux or py check_chrome_cve_2026_11245.py on Windows; standard user rights are usually enough, though some Windows install locations or registry paths may be easier to read with local admin.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_chrome_cve_2026_11245.py
# Detect whether installed Google Chrome is below 149.0.7827.53.
# Outputs one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import subprocess
import sys

THRESHOLD = (149, 0, 7827, 53)
VERSION_RE = re.compile(r'(\d+)\.(\d+)\.(\d+)\.(\d+)')


def parse_version(text):
    if not text:
        return None
    m = VERSION_RE.search(text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def cmp_ver(a, b):
    return (a > b) - (a < b)


def run_cmd(cmd):
    try:
        p = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
        out = (p.stdout or '') + ' ' + (p.stderr or '')
        return parse_version(out.strip())
    except Exception:
        return None


def windows_candidates():
    candidates = []
    for base in [
        os.environ.get('ProgramFiles'),
        os.environ.get('ProgramFiles(x86)'),
        os.environ.get('LocalAppData')
    ]:
        if base:
            candidates.append(os.path.join(base, 'Google', 'Chrome', 'Application', 'chrome.exe'))
    return candidates


def mac_candidates():
    return [
        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
        os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome')
    ]


def linux_candidates():
    return [
        'google-chrome',
        'google-chrome-stable',
        '/usr/bin/google-chrome',
        '/usr/bin/google-chrome-stable',
        '/opt/google/chrome/chrome'
    ]


def get_version_windows():
    # Try executable --version first
    for path in windows_candidates():
        if os.path.exists(path):
            v = run_cmd([path, '--version'])
            if v:
                return v, path

    # Try registry via PowerShell if available
    ps = [
        'powershell', '-NoProfile', '-Command',
        r"$paths=@('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome',"
        r"'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome',"
        r"'HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome');"
        r"foreach($p in $paths){if(Test-Path $p){$v=(Get-ItemProperty $p).DisplayVersion; if($v){Write-Output $v; break}}}"
    ]
    v = run_cmd(ps)
    if v:
        return v, 'registry'

    return None, None


def get_version_mac():
    for path in mac_candidates():
        if os.path.exists(path):
            v = run_cmd([path, '--version'])
            if v:
                return v, path
    return None, None


def get_version_linux():
    for path in linux_candidates():
        v = run_cmd([path, '--version'])
        if v:
            return v, path
    return None, None


def main():
    system = platform.system().lower()
    version = None
    source = None

    if 'windows' in system:
        version, source = get_version_windows()
    elif 'darwin' in system or 'mac' in system:
        version, source = get_version_mac()
    elif 'linux' in system:
        version, source = get_version_linux()
    else:
        print('UNKNOWN: unsupported platform')
        sys.exit(2)

    if not version:
        print('UNKNOWN: Google Chrome version not found')
        sys.exit(2)

    version_str = '.'.join(str(x) for x in version)
    if cmp_ver(version, THRESHOLD) < 0:
        print(f'VULNERABLE: Google Chrome {version_str} detected via {source}; requires >= 149.0.7827.53')
        sys.exit(1)
    else:
        print(f'PATCHED: Google Chrome {version_str} detected via {source}; meets >= 149.0.7827.53')
        sys.exit(0)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: inventory Chrome versions and let normal browser hygiene do the work. For a LOW verdict there is no noisgate mitigation SLA and noisgate remediation SLA is effectively backlog hygiene, so there is no mitigation SLA — treat this as standard fleet maintenance and move affected endpoints to 149.0.7827.53+ in your next normal browser rollout rather than burning outage capital; if you run high-risk browser-based procurement or finance workflows, tighten gateway filtering and approval controls in the same maintenance window.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.