← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11262 · CWE-416 · Disclosed 2026-06-05

Use after free in TabStrip in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a front-door master key than a brittle latch that only matters if the attacker can make your user jiggle it just right

CVE-2026-11262 is a use-after-free in Chrome's TabStrip UI component. The affected desktop builds are Chrome versions before 149.0.7827.53 on Linux and before 149.0.7827.53/.54 on Windows and macOS, as documented in Google's June 2, 2026 stable release. In plain English: a malicious webpage can try to push the browser into reusing a stale UI object tied to tab handling, creating memory corruption conditions.

The user-provided HIGH 8.8 story overstates what matters for a 10,000-host patch queue. Google's own stable-channel advisory classifies this CVE as LOW, not HIGH, and that lines up better with reality: exploitation needs user-driven web content delivery, then a reliable browser-memory-corruption chain against a heavily hardened target, and there is no KEV entry, no observed in-the-wild exploitation, and an extremely low EPSS.

"Remote content can trigger it, but Google itself rated it LOW and the real-world exploit chain has a lot of friction."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a malicious webpage

The attacker needs a user to browse to attacker-controlled HTML. The practical tooling here is ordinary web delivery: phishing links, malvertising, or a compromised site serving JavaScript/DOM sequences intended to exercise the TabStrip code path.
Conditions required:
  • Unauthenticated remote reach to a target user through web content
  • A user running a vulnerable Chrome desktop build
  • The user must open the page
Where this breaks in practice:
  • This is UI:R, so it is not wormable and not zero-click
  • Enterprise web filtering, Safe Browsing, mail filtering, and user training reduce delivery success
  • Chrome auto-update shrinks the long-tail exposure window
Detection/coverage: Email/web gateways may catch delivery, but generic vuln scanners only confirm version exposure. They do not prove the bug is reachable in a given browsing workflow.
STEP 02

Trigger the stale-pointer condition in TabStrip

Once the page is open, the attacker must cause a browser state transition that touches TabStrip lifecycle logic after an object has been freed. That usually means carefully timed DOM, navigation, focus, popup, or tab-state changes rather than a simple one-shot request.
Conditions required:
  • The crafted page must hit the vulnerable code path
  • The browser must be in a state where tab/UI operations interact with the bug
Where this breaks in practice:
  • UI-adjacent bugs are often stateful and timing-sensitive
  • Exploit reliability drops across OSes, channel builds, and user behavior
  • A restricted Chromium issue suggests Google kept details non-public pending patch uptake
Detection/coverage: Browser crash telemetry, EDR process-crash events, and Chromium crash signatures are more useful than network IDS here. External scanners have little visibility into this step.
STEP 03

Turn memory corruption into controlled execution

A use-after-free by itself is not impact; it is an opportunity. The attacker still has to shape heap state, bypass modern Chrome mitigations, and convert corruption into a dependable control primitive using classic exploit-development techniques such as heap grooming and object replacement.
Conditions required:
  • Reliable exploit primitives from the UAF
  • A target platform/build where the mitigations can be bypassed
  • Sufficient exploit engineering investment
Where this breaks in practice:
  • Modern Chrome ships substantial memory-safety hardening, allocator defenses, and exploit mitigations
  • No public PoC materially lowers copy-paste attacker access
  • The official Google severity being LOW is a strong signal that upstream did not view this as a straightforward RCE path
Detection/coverage: EDR may catch anomalous child-process behavior or shellcode-like memory activity after compromise, but there is no high-confidence signature for the pre-exploitation stage.
STEP 04

Achieve useful post-exploitation impact

Even if code execution is achieved, the attacker still needs to translate that foothold into business impact on the endpoint. Depending on where execution lands, they may still need sandbox escape, credential theft, or follow-on execution to reach persistence or lateral movement.
Conditions required:
  • Successful code execution from the browser context
  • Valuable user context or a second-stage payload
Where this breaks in practice:
  • Browser compromise does not automatically equal full workstation takeover
  • EDR, application control, and browser sandboxing can contain or expose follow-on actions
Detection/coverage: Post-exploit activity is where defenders have the best chance: EDR telemetry, process lineage, suspicious downloads, and unusual browser child-process events.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed exploitation found. I found no KEV entry and no authoritative vendor statement indicating active attacks.
KEV statusNot KEV-listed in CISA's catalog as checked against the current KEV catalog.
Proof-of-concept availabilityNo public PoC located from vendor or Chromium references. The Chromium issue exists, but public details are restricted/minimal, which raises attacker effort.
EPSS0.0008 from the user intel, which is very low predicted near-term exploitation likelihood. EPSS is threat-likelihood input, not impact.
Vendor severity mismatchImportant correction: Google's June 2, 2026 stable release lists CVE-2026-11262 as LOW, not HIGH. That is the single biggest reason this gets downgraded.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H means remote delivery with required user interaction. In browser triage, UI:R is real friction, not a rounding error.
Affected versionsChrome desktop before 149.0.7827.53 on Linux and before 149.0.7827.53/.54 on Windows/macOS, per Google's stable release notes.
Fixed versionsUpgrade to at least 149.0.7827.53 on Linux and 149.0.7827.53 or .54 on Windows/macOS. Extended Stable remained on 148.0.7778.254 at the same time, so validate your channel before assuming exposure.
Exposure/scanning realityNot meaningfully Shodan/Censys/FOFA-scannable. This is client software, not an internet-facing listener. Your exposure dataset is browser inventory from EDR, MDM, or enterprise browser management.
Disclosure and reporterGoogle's stable release published the fix on 2026-06-02 and credits the bug as reported by Google on 2026-04-03. The user-provided disclosure date was 2026-06-05; the public Chrome release carrying the fix was earlier.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.6/10)

The decisive factor is real exploit friction: this requires user interaction and then a reliable memory-corruption exploit against a hardened browser, with no current evidence that attackers are investing in that chain. On top of that, Google's own advisory classifies this specific bug as LOW, which is a much better anchor than an abstract 8.8-style browser-RCE label.

HIGH Affected version floor and fixed builds
HIGH Vendor severity mismatch between user-supplied HIGH and Google's published LOW
MEDIUM Exploitability assessment without public root-cause details

Why this verdict

  • Baseline downshift: the user-supplied 8.8 HIGH is contradicted by Google's June 2, 2026 Chrome release, which labels CVE-2026-11262 as LOW.
  • Attacker position matters: this is AV:N but also UI:R; the attacker needs a user to open crafted content, which implies a delivery stage that modern mail/web controls often break.
  • Population is huge, but exposure is short-lived: Chrome is everywhere, yet enterprise auto-update and managed browser rollouts reduce dwell time for a single fixed desktop build.
  • Exploit engineering burden is non-trivial: use-after-free in a modern browser is not copy-paste RCE; it needs heap shaping and mitigation bypasses, and there is no public PoC to lower the bar.
  • Threat intel is cold: no KEV, no authoritative active-exploitation reporting, and an EPSS of 0.0008 all push urgency down.

Why not higher?

There is no credible evidence of exploitation, no public PoC, and the official Chrome release classifies this exact bug as LOW. A HIGH or CRITICAL call would require either active abuse, a public exploit chain, or materially less friction than a UI:R browser memory bug in a hardened target.

Why not lower?

It is still a browser memory-safety flaw delivered through normal web content, and Chrome's deployment footprint means even low-probability bugs can matter at fleet scale. If your browser estate is unmanaged or lags auto-update badly, the reachable population is large enough that this should stay above pure backlog hygiene.

05 · Compensating Control

What to do — in priority order.

  1. Confirm browser inventory — Use EDR, MDM, or browser-management telemetry to identify hosts below 149.0.7827.53 (.54 also acceptable on Windows/macOS). For a MEDIUM noisgate verdict there is no mitigation SLA; do this in the normal remediation workflow so you can move straight into the 365-day patch window with accurate scope.
  2. Force auto-update compliance — Verify Chrome update services, Omaha policies, and deferred-ring settings are not pinning endpoints below the fixed build. There is no mitigation SLA for MEDIUM, but tightening update compliance now prevents this class of browser issue from aging into long-tail exposure.
  3. Reduce untrusted browsing paths — Keep Safe Browsing, web filtering, and mail URL protection enabled because they reduce the only practical first step: getting users onto attacker-controlled HTML. There is no mitigation SLA here; this is a standing control that lowers delivery success while the normal remediation cycle catches up.
  4. Watch browser crash and child-process telemetry — Monitor for Chrome crashes, repeated renderer/browser instability, and suspicious browser-spawned processes on vulnerable hosts. There is no mitigation SLA for MEDIUM, but this is your best short-term detection control if you cannot immediately prove full patch coverage.
What doesn't work
  • A perimeter vulnerability scanner won't meaningfully reduce risk here, because this is a client-side browser flaw and not an internet-facing service.
  • WAF rules do not help on endpoints browsing the public web; the malicious payload is rendered by the user's browser, not blocked at your server edge.
  • Network segmentation is mostly irrelevant for initial exploitation because the entry point is ordinary outbound web browsing.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software-distribution/EDR script runner. Invoke it as python3 chrome_cve_2026_11262_check.py on Linux/macOS or py chrome_cve_2026_11262_check.py on Windows; standard user rights are usually enough, though some locked-down Windows installs may require read access to Chrome registry/file metadata.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# CVE-2026-11262 Chrome version check
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import subprocess
import sys

FIXED = (149, 0, 7827, 53)


def parse_version(text):
    if not text:
        return None
    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text)
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def version_ge(a, b):
    return a >= b


def run_cmd(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        out = (p.stdout or '') + '\n' + (p.stderr or '')
        return out.strip()
    except Exception:
        return ''


def get_versions_linux_macos():
    candidates = [
        ['google-chrome', '--version'],
        ['google-chrome-stable', '--version'],
        ['chromium', '--version'],
        ['chromium-browser', '--version'],
        ['/Applications/Google Chrome.app/Contents/MacOS/Google Chrome', '--version'],
    ]
    found = []
    for cmd in candidates:
        out = run_cmd(cmd)
        v = parse_version(out)
        if v:
            found.append((' '.join(cmd[:-1]), v))
    return found


def get_versions_windows():
    found = []

    reg_paths = [
        r'HKLM\Software\Google\Chrome\BLBeacon',
        r'HKCU\Software\Google\Chrome\BLBeacon',
        r'HKLM\Software\WOW6432Node\Google\Chrome\BLBeacon',
    ]
    for key in reg_paths:
        out = run_cmd(['reg', 'query', key, '/v', 'version'])
        v = parse_version(out)
        if v:
            found.append((key, v))

    powershell = [
        'powershell', '-NoProfile', '-Command',
        "$paths=@(\n" \
        "  $env:ProgramFiles+'\\Google\\Chrome\\Application\\chrome.exe',\n" \
        "  $env:'ProgramFiles(x86)'+'\\Google\\Chrome\\Application\\chrome.exe',\n" \
        "  $env:LocalAppData+'\\Google\\Chrome\\Application\\chrome.exe'\n" \
        "); foreach($p in $paths){ if(Test-Path $p){ try{ (Get-Item $p).VersionInfo.ProductVersion }catch{} } }"
    ]
    out = run_cmd(powershell)
    for line in out.splitlines():
        v = parse_version(line)
        if v:
            found.append(('chrome.exe', v))

    uniq = []
    seen = set()
    for name, ver in found:
        if ver not in seen:
            uniq.append((name, ver))
            seen.add(ver)
    return uniq


def main():
    system = platform.system().lower()
    if 'windows' in system:
        versions = get_versions_windows()
    else:
        versions = get_versions_linux_macos()

    if not versions:
        print('UNKNOWN: Google Chrome version not found')
        sys.exit(2)

    vulnerable = []
    patched = []
    for name, ver in versions:
        if version_ge(ver, FIXED):
            patched.append((name, ver))
        else:
            vulnerable.append((name, ver))

    def fmt(items):
        return ', '.join([f'{name}={".".join(map(str, ver))}' for name, ver in items])

    if vulnerable:
        msg = 'VULNERABLE: ' + fmt(vulnerable)
        if patched:
            msg += ' | Also found patched installs: ' + fmt(patched)
        print(msg)
        sys.exit(1)

    print('PATCHED: ' + fmt(patched))
    sys.exit(0)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: treat this as a managed browser hygiene issue, not a fleet-emergency fire drill. Validate which desktops are still below 149.0.7827.53/.54, make sure Chrome auto-update policy is actually landing, and fold any stragglers into your standard browser patch wave; because this is a MEDIUM noisgate verdict, there is no mitigation SLA — go straight to the 365-day remediation window under the noisgate mitigation SLA / noisgate remediation SLA model, though in practice most enterprises should clear browser laggards far sooner than that.

Sources

  1. Google Chrome Releases - Stable Channel Update for Desktop (June 2, 2026)
  2. Google Chrome Releases - Early Stable Update for Desktop (May 29, 2026)
  3. Chromium issue 499386363
  4. Chromium Chrome Security Page
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS API documentation
  7. Google Chrome Releases - June 2026 archive
  8. Google Chrome for Android Update (June 2, 2026; notes corresponding desktop security fixes)
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.