← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11253 · CWE-362 · Disclosed 2026-06-05

Inappropriate implementation in Permissions in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a pickpocketing bug that only works if the browser writes the wrong name on the envelope mid-handoff

CVE-2026-11253 is a Chrome Permissions flaw affecting versions before 149.0.7827.53 on Linux and before the 149.0.7827.53/54 desktop rollout on Windows and macOS. The supplied CVE text says a remote attacker can leak cross-origin data through a crafted HTML page; the linked Chromium fix strongly suggests a navigation/permissions race where Chrome could commit permission-related changes against the wrong page URL after navigation.

I would *downgrade* this from the supplied MEDIUM 4.3 baseline to LOW for enterprise patch triage. The decisive friction is that this is still a browser-side, user-driven, low-confidentiality leak with no exploit evidence, no KEV listing, no public weaponization, and a bug shape that looks timing-sensitive; that is not where a 10,000-endpoint team burns emergency patch capital.

"Real bug, real fix, but the exploit path is a finicky browser race with low payoff and no field evidence."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Lure the user into attacker HTML

The attacker needs a victim to browse to a malicious page that hosts a custom HTML/JavaScript race harness. No auth is required, but the attack begins only after the user lands on attacker-controlled web content.
Conditions required:
  • Victim uses Chrome below 149.0.7827.53
  • Victim visits attacker-controlled content
  • Attacker can execute browser-side JavaScript
Where this breaks in practice:
  • Requires user interaction (UI:R), so this is not wormable or ambient internet noise
  • Web filtering, URL isolation, and standard user caution all reduce reach
  • Enterprise browser populations auto-update quickly unless pinned
Detection/coverage: Network scanners will miss this; coverage comes from browser version inventory, EDR software inventory, and managed Chrome enterprise telemetry.
STEP 02

Trigger the permissions/navigation race

The likely weaponized tool here is a *custom HTML/JS race harness* built around the permissions flow. The Chromium fix for bug 498397912 stores the top-level URL when the bubble model is created and reuses it on commit, which implies the vulnerable state happened when navigation changed the effective page identity during commit.
Conditions required:
  • Attacker can induce the relevant permissions UI/state transition
  • Victim browser hits the vulnerable timing window
  • Navigation or state change occurs before permission changes are committed
Where this breaks in practice:
  • Race conditions are notoriously brittle across hardware, tabs, focus state, and release builds
  • The issue tracker is restricted and there is no public PoC, so repeatability is unproven
  • Modern site isolation and browser hardening contain blast radius to data exposure rather than code execution
Detection/coverage: There is no reliable signature for the race itself. Hunt indirectly for suspicious permission prompts, rapid same-tab navigations, and web telemetry anomalies if your browser stack records them.
STEP 03

Read limited cross-origin data

If the race lands, the attacker gains a cross-origin data leak primitive, not code execution. The supplied CVSS and CVE text both indicate *confidentiality-only* impact with no integrity or availability effect, which is materially different from the far more urgent Chrome memory corruption bugs in the same release.
Conditions required:
  • Exploit successfully misbinds permission-related state to the wrong origin
  • Targeted data is accessible through the mistaken state
Where this breaks in practice:
  • Impact is capped at C:L in the supplied vector
  • No sandbox escape, persistence, or direct tenant-wide takeover follows from this bug alone
  • Practical value depends on the victim being logged into something worth stealing in-browser
Detection/coverage: Difficult to detect post-facto from the endpoint alone. Browser forensic value is limited unless you already retain detailed web session telemetry.
STEP 04

Exfiltrate through normal web traffic

The attacker can send any recovered data back over ordinary HTTPS from the same malicious page. That keeps the exploit chain operationally simple once the leak works, but the exfil volume is likely small because the bug is a low-grade disclosure primitive rather than bulk read access.
Conditions required:
  • Attacker-controlled page remains active long enough to send results
  • Egress to attacker infrastructure is allowed
Where this breaks in practice:
  • Leak value may be too small or inconsistent to justify real-world attacker effort
  • Browser tab closure, ad/script blockers, and session churn can interrupt the chain
Detection/coverage: Only generic web telemetry applies: unusual outbound requests from the victim session, suspicious domains, or browser extension/network logging if deployed.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found, and the user-supplied intel says KEV: No.
PoC availabilityNo public exploit repo or named PoC located. The Chromium issue is access-restricted, which usually means details were not broadly published at disclosure time.
EPSS0.00017 from the supplied intel — effectively background noise.
KEV statusNot KEV-listed in the supplied intel as of 2026-06-05/2026-06-06.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N — internet-reachable in theory, but *user interaction required* and *confidentiality impact only*.
Affected versionsChrome before 149.0.7827.53; desktop stable release notes show 149.0.7827.53 for Linux and 149.0.7827.53/54 for Windows/macOS.
Fixed versionsDesktop stable on 2026-06-02: Linux 149.0.7827.53, Windows/macOS 149.0.7827.53/54. Early stable went to a small percentage earlier on 2026-05-20.
Root-cause signal from the fixThe linked Chromium commit for bug 498397912 stores the page URL at bubble creation and reuses it on commit. *Inference:* exploitability depends on a navigation/commit race, which is exactly the kind of fragility that pushes severity down.
Exposure/scanning realityThis is a client-side browser flaw, not an internet-facing service. Shodan/Censys-style exposure counts are largely irrelevant; your true exposure metric is unmanaged or version-pinned Chrome endpoints.
Disclosure / reportingDisclosed 2026-06-05; Chrome release notes list it as reported by Google on 2026-04-01.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.2/10)

The single biggest downward driver is that this appears to be a timing-sensitive permissions/navigation race, not a clean, deterministic browser break. Combined with UI:R, low confidentiality impact, and no exploitation evidence, that makes this a real but low-priority patching item for enterprise operations.

HIGH Version scope and fix release dates
MEDIUM Assessment that the bug is a narrow navigation/commit race based on the linked fix
MEDIUM Severity downgrade from the supplied 4.3 baseline

Why this verdict

  • Attacker position is still pre-exploitation web content, but it requires a browsing victim. UI:R means phishing, malvertising, or lure traffic first; this is immediate downward pressure versus a no-click browser bug.
  • The prerequisite implies a narrow reachable population per attempt. The attacker does not hit all Chrome installs; they hit only users who land on the malicious page and then satisfy the timing needed for the permissions flow.
  • The bug shape looks brittle. The official fix ties the permission commit to the original top-level URL, which strongly suggests a race during navigation; races are materially harder to weaponize and scale than straight logic bypasses.
  • Impact is confidentiality-only and low-grade. The supplied vector is C:L/I:N/A:N, so even successful exploitation does not buy code execution, persistence, or broad integrity damage.
  • No modern exposure amplifier is present. No KEV, no public PoC, no field exploitation, and no indication of mass scanning or turnkey operator use.

Why not higher?

This is not an RCE, not a sandbox escape, and not a zero-click browser bug. The attack requires a victim session, a crafted page, and what looks like a narrow timing condition tied to permission state and navigation, so the practical blast radius is far below Chrome's truly urgent memory corruption issues.

Why not lower?

It is still a remotely triggerable browser privacy boundary failure in one of the most widely deployed enterprise applications on earth. If you leave old Chrome versions lying around on unmanaged endpoints, an attacker can still try to steal cross-origin data from active browsing sessions, so this is not something to ignore outright.

05 · Compensating Control

What to do — in priority order.

  1. Enforce browser auto-update — Make sure Chrome stable updates are not pinned behind stale rings or disabled by policy. For a LOW verdict there is no SLA (treat as backlog hygiene), but this is the cheapest control to reduce lingering exposure without waiting for a special project.
  2. Find version-pinned laggards — Query EDR, software inventory, or Chrome enterprise reporting for endpoints below 149.0.7827.53. There is no mitigation SLA (backlog hygiene) here, so use normal operations time to clean up exceptions rather than launching an incident sprint.
  3. Reduce unmanaged browsing risk — Apply standard web protections such as URL filtering, browser isolation for high-risk groups, and least-privilege browsing on contractor/BYOD edges. These controls reduce the probability that a user ever lands on the malicious page while you remediate through normal patching hygiene.
  4. Monitor permission-prompt anomalies — If your browser telemetry stack supports it, look for unusual permission prompt patterns or rapid navigation changes tied to suspicious domains. This will not prove exploitation, but it can help surface attempted weaponization during the backlog window.
What doesn't work
  • Perimeter vulnerability scanners — this is a client-side browser issue, so network scanning your public IP space tells you almost nothing.
  • WAF rules — the vulnerable component is the user's browser state machine, not a server endpoint you can shield with HTTP filtering.
  • MFA — useful for account theft generally, but it does not stop a same-session browser data leak if the victim is already authenticated in the tab.
06 · Verification

Crowdsourced verification payload.

Run this from the target endpoint itself or through your EDR live-response shell. Invoke it as python3 check_chrome_cve_2026_11253.py; it needs only normal user rights because it reads executable paths and runs --version.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# check_chrome_cve_2026_11253.py
# Detect Chrome/Chromium versions affected by CVE-2026-11253.
# Outputs one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys
from typing import List, Optional, Tuple

FIXED = (149, 0, 7827, 53)
VERSION_RE = re.compile(r'(\d+)\.(\d+)\.(\d+)\.(\d+)')


def parse_version(text: str) -> Optional[Tuple[int, int, int, int]]:
    m = VERSION_RE.search(text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def run_version_cmd(path: str) -> Optional[str]:
    try:
        out = subprocess.check_output([path, '--version'], stderr=subprocess.STDOUT, text=True, timeout=10)
        return out.strip()
    except Exception:
        return None


def candidate_paths() -> List[str]:
    system = platform.system().lower()
    paths = []

    if system == 'windows':
        envs = [
            os.environ.get('PROGRAMFILES'),
            os.environ.get('PROGRAMFILES(X86)'),
            os.environ.get('LOCALAPPDATA')
        ]
        suffixes = [
            r'Google\Chrome\Application\chrome.exe',
            r'Chromium\Application\chrome.exe'
        ]
        for base in envs:
            if not base:
                continue
            for suffix in suffixes:
                paths.append(os.path.join(base, suffix))
    elif system == 'darwin':
        paths.extend([
            '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
            '/Applications/Chromium.app/Contents/MacOS/Chromium',
            os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),
            os.path.expanduser('~/Applications/Chromium.app/Contents/MacOS/Chromium')
        ])
    else:
        binaries = [
            'google-chrome', 'google-chrome-stable', 'chromium', 'chromium-browser', 'chrome'
        ]
        for b in binaries:
            resolved = shutil.which(b)
            if resolved:
                paths.append(resolved)
        paths.extend([
            '/opt/google/chrome/chrome',
            '/usr/bin/google-chrome',
            '/usr/bin/google-chrome-stable',
            '/usr/bin/chromium',
            '/usr/bin/chromium-browser'
        ])

    # Deduplicate while preserving order
    seen = set()
    uniq = []
    for p in paths:
        if p and p not in seen:
            seen.add(p)
            uniq.append(p)
    return uniq


def main() -> int:
    found = []
    for path in candidate_paths():
        if not os.path.exists(path):
            continue
        out = run_version_cmd(path)
        if not out:
            continue
        ver = parse_version(out)
        if ver:
            found.append((path, out, ver))

    if not found:
        print('UNKNOWN - Chrome/Chromium executable not found or version unreadable')
        return 2

    vulnerable = []
    patched = []
    for path, raw, ver in found:
        if ver < FIXED:
            vulnerable.append((path, raw))
        else:
            patched.append((path, raw))

    if vulnerable:
        print('VULNERABLE')
        for path, raw in vulnerable:
            print(f'  {path} -> {raw}')
        return 1

    print('PATCHED')
    for path, raw in patched:
        print(f'  {path} -> {raw}')
    return 0


if __name__ == '__main__':
    sys.exit(main())
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like a Chrome fire drill. Use your normal browser hygiene lane: validate that auto-update is working, pull a report of any endpoints below 149.0.7827.53, and clean up version-pinned exceptions in routine operations. For a LOW verdict, the noisgate mitigation SLA is no SLA (treat as backlog hygiene), and the noisgate remediation SLA is also no SLA (treat as backlog hygiene) — so patch it in the next standard browser maintenance cycle, but spend this week on the Chrome bugs that deliver code execution or have exploitation evidence.

Sources

  1. Chrome Releases: Stable Channel Update for Desktop (June 2, 2026)
  2. Chrome Releases: Early Stable Update for Desktop (May 20, 2026)
  3. Chrome for Developers: Change in release schedule from Chrome 110
  4. Chromium commit fixing bug 498397912
  5. Chromium code review for fix 498397912
  6. Chromium issue 498397912
  7. Chrome Releases homepage / archive
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.