← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11269 · CWE-829 · Disclosed 2026-06-05

Inappropriate implementation in Extensions in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a front-door smash and more a crooked network switch swapping packages mid-delivery

CVE-2026-11269 is an inappropriate implementation flaw in Chrome Extensions, mapped to CWE-829, that affects Google Chrome desktop builds before 149.0.7827.53 and was disclosed on 2026-06-05. The vendor description says the attacker must be in a *privileged network position*, which means this is not an internet spray-and-pray browser bug; the attacker needs on-path capability to tamper with traffic that a vulnerable extension consumes, plus the victim still has to hit the extension code path.

Google scored it 7.1 HIGH, but that overstates the operational urgency for most enterprises. The real-world chain is hemmed in by four brakes at once: adjacent/on-path attacker position, AC:H, UI:R, and a client-side target that is not externally enumerable like a server CVE. Ubiquitous product exposure keeps it out of LOW, but this is still a downgrade because the exploit preconditions imply either local network access, prior compromise, or a very specific hostile network scenario rather than straightforward remote exploitation.

"This is a niche MITM browser bug, not a drop-everything enterprise fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Gain on-path position with bettercap or mitmproxy

The attacker first needs to sit in the victim's traffic path on a hostile or compromised network segment. In practice that means ARP spoofing, rogue gateway behavior, evil-twin Wi-Fi, or equivalent interception tooling such as bettercap or mitmproxy. This is already a major narrowing factor because the bug is not reachable from the open internet in the usual sense.
Conditions required:
  • Attacker can observe and tamper with victim network traffic
  • Victim is on the same segment, hostile Wi-Fi, or otherwise routed through attacker-controlled infrastructure
Where this breaks in practice:
  • Modern enterprise networks with NAC, WPA2-Enterprise, DHCP snooping, and client isolation make casual MITM much harder
  • Many extension-related fetches are TLS-protected, which limits useful tampering unless the vulnerable code path trusts weaker sources or attacker-controlled redirects
Detection/coverage: Network IDS may catch ARP spoofing, rogue DHCP, SSL interception, or suspicious proxy behavior, but commodity vuln scanners will not validate this precondition.
STEP 02

Steer the victim into the extension code path

The attacker then has to trigger the specific extension behavior that mishandles untrusted content or origin assumptions. Because the CVSS includes UI:R, the victim must browse, click, or otherwise interact in a way that causes the extension to process attacker-influenced data. This is narrower than a passive memory corruption bug that fires on page load alone.
Conditions required:
  • A vulnerable Chrome build is installed
  • The relevant extension functionality is present and used
  • The victim performs the required interaction
Where this breaks in practice:
  • Enterprises often restrict extension installation to an allowlist, reducing reachable extension population
  • Not every user runs the affected extension path during the attack window
Detection/coverage: Browser telemetry, extension inventory, and proxy logs can show whether the victim actually reached the affected workflow; scanner coverage is mostly version-based only.
STEP 03

Inject or substitute attacker-controlled extension content

Once the extension fetch or trust boundary is reached, the attacker abuses the inappropriate implementation to feed content from an untrusted sphere into the extension context. Tooling here is still ordinary MITM kit rather than a turnkey public exploit. The likely abuse pattern is content substitution, malicious response rewriting, or redirect-assisted loading into extension logic.
Conditions required:
  • The vulnerable fetch or trust decision is hit
  • The attacker can modify the relevant request or response in transit
Where this breaks in practice:
  • The vendor marked AC:H, which usually means the sequence or environmental setup is brittle
  • Browser hardening, certificate validation, and extension policy restrictions can break many attempted chains
Detection/coverage: Look for anomalous extension-related requests, odd redirects, certificate warnings, or browser proxy changes; signature-based detection will be weak until exploit details are public.
STEP 04

Land impact inside the browser user's security context

If the chain works, the attacker gets the impact Chrome modeled as high confidentiality, integrity, and availability loss. That sounds scary on paper, but the blast radius is still the browser session and user context on a single endpoint unless paired with follow-on credential theft or another local privilege path. For enterprise triage, that keeps this firmly below the level of a low-friction remote code execution against an internet-facing service.
Conditions required:
  • Successful content injection into the vulnerable extension handling path
Where this breaks in practice:
  • Impact is typically per-user and per-endpoint rather than instant domain-wide compromise
  • EDR, browser sync controls, credential protection, and session re-authentication can limit downstream abuse
Detection/coverage: EDR may catch follow-on payload execution or credential theft, but it may miss pure browser-side abuse if the attacker stays within the extension and session boundary.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found, and it is not present in CISA KEV as checked against the current catalog feed.
Public exploit / PoCNo credible public PoC or weaponized exploit repo was found for CVE-2026-11269. Realistic operator tooling would be generic MITM frameworks like bettercap or mitmproxy, which still need undisclosed bug specifics and the right extension path.
EPSS0.00008 probability, effectively near-floor risk in the EPSS model and consistent with a bug that has heavy preconditions.
KEV statusNot KEV-listed. Date checked: current CISA KEV feed at response time.
CVSS vectorCVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H = adjacent/on-path attacker, high complexity, no prior auth, user interaction required. Translation: technically ugly, operationally fussy.
Affected versionsGoogle Chrome desktop prior to 149.0.7827.53 per the advisory text you supplied. Google release pages also show the stable rollout landed as 149.0.7827.53/.54 depending on platform.
Fixed versionsTreat 149.0.7827.53 or later as patched across desktop, with Windows/macOS also seeing 149.0.7827.54 in stable rollout. No distro-style backport channel was identified from the vendor sources reviewed.
Scanning / exposure realityThere is no meaningful Shodan/Censys/FOFA angle here because this is a client-side browser flaw, not a listening service. Exposure is measured by endpoint version inventory and extension usage, not by internet scan counts.
Disclosure and creditsDisclosed on 2026-06-05. I did not find a trustworthy public source naming the reporting researcher for this specific CVE, which is common when Chrome withholds granular bug details until update adoption improves.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (4.6/10)

The decisive factor is the attacker position requirement: this bug needs a privileged on-path network vantage, which dramatically shrinks the reachable population and usually implies a hostile local network or prior foothold. Pair that with AC:H and UI:R, and the vendor's HIGH label stops looking like day-one enterprise urgency.

HIGH Downgrade from vendor HIGH based on attack-path friction
MEDIUM Exact extension abuse mechanics, because public technical detail is intentionally sparse

Why this verdict

  • Requires on-path adjacency: AV:A means the attacker is not remotely reaching Chrome from anywhere on the internet; they need local network influence or equivalent traffic interception.
  • High-complexity chain: Google's AC:H is a real downgrade lever here, because the attacker needs a brittle combination of interception, the right extension workflow, and timing that holds together in a modern managed browser estate.
  • User interaction is not optional: UI:R means the victim still has to do something useful for the attacker, which cuts mass exploitability and makes reliable automation harder at enterprise scale.
  • Blast radius is endpoint-scoped first: even with high CIA impact in CVSS terms, the initial win is still the user's browser context on a single machine, not an unauthenticated server-side takeover.
  • No exploitation signal: no KEV listing, no public campaign reporting, and an EPSS of 0.00008 all push down on urgency.

Why not higher?

Because this is not a low-friction remote exploit. The attacker needs adjacency or an on-path foothold, must survive modern network controls, and still needs user interaction plus the correct extension execution path. That is too much compound friction for HIGH in a 10,000-host enterprise patch queue.

Why not lower?

Because Chrome is everywhere, and browser-extension trust boundary bugs can still expose sensitive session data or enable targeted follow-on compromise when they do land. If you run a large roaming workforce on untrusted networks, the attacker-position brake is weaker than it looks on paper, so IGNORE or LOW would be too dismissive.

05 · Compensating Control

What to do — in priority order.

  1. Enforce extension allowlisting — Reduce reachable attack surface by limiting users to approved extensions and removing anything unnecessary or legacy. For a MEDIUM verdict there is no noisgate mitigation SLA; use this as an interim hardening step while you work inside the 365-day remediation window.
  2. Block hostile proxying and local MITM patterns — Use NAC, client isolation on guest networks, rogue AP detection, ARP spoofing detection, and certificate-inspection alerting to make the required on-path position harder to obtain. There is no noisgate mitigation SLA at MEDIUM; deploy opportunistically where users regularly operate on untrusted networks.
  3. Force rapid browser auto-update compliance — Chrome's built-in updater is your friend here: use enterprise policy and device management to keep the fleet at or above the fixed build and to identify stragglers quickly. At MEDIUM, there is no mitigation SLA; prioritize drift correction as part of normal endpoint hygiene before the 365-day remediation deadline.
  4. Increase browser telemetry collection — Collect Chrome version inventory, installed extension inventory, proxy settings, certificate warning events, and suspicious redirect telemetry so you can separate theoretical exposure from actual reachable usage. This is most useful on roaming endpoints because the exploit path depends on network placement and user behavior.
What doesn't work
  • A perimeter WAF does not help, because this is not an internet-facing web server flaw and the victim-side browser traffic may never cross your web app stack.
  • MFA does not prevent the initial browser-side exploit path; it only helps if the attacker tries to cash out stolen sessions or credentials later.
  • Generic external attack-surface scanning will not find this exposure, because the vulnerable asset is the client browser version plus extension behavior, not a public TCP listener.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your fleet tooling to check the installed Google Chrome version against the fixed floor. Invoke with python3 chrome_cve_2026_11269_check.py on macOS/Linux or py chrome_cve_2026_11269_check.py on Windows; no admin rights are required for standard installs, though some locked-down paths may need elevated read access.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3\n# CVE-2026-11269 Chrome version check\n# Exit codes:\n#   0 = PATCHED\n#   1 = VULNERABLE\n#   2 = UNKNOWN\n\nimport os\nimport platform\nimport re\nimport shutil\nimport subprocess\nimport sys\n\nFIXED_VERSION = (149, 0, 7827, 53)\n\ndef parse_version(text):\n    m = re.search(r'(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)', text or '')\n    if not m:\n        return None\n    return tuple(int(x) for x in m.groups())\n\ndef version_str(v):\n    return '.'.join(str(x) for x in v)\n\ndef run_cmd(cmd):\n    try:\n        p = subprocess.run(cmd, capture_output=True, text=True, timeout=10)\n        out = (p.stdout or '') + (p.stderr or '')\n        return out.strip()\n    except Exception:\n        return ''\n\ndef candidates_windows():\n    paths = [\n        os.path.expandvars(r'%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%LocalAppData%\\Google\\Chrome\\Application\\chrome.exe'),\n    ]\n    return [p for p in paths if p and os.path.exists(p)]\n\ndef candidates_macos():\n    paths = [\n        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',\n        os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),\n    ]\n    return [p for p in paths if os.path.exists(p)]\n\ndef candidates_linux():\n    found = []\n    for name in ['google-chrome', 'google-chrome-stable', 'chromium-browser', 'chromium']:\n        p = shutil.which(name)\n        if p:\n            found.append(p)\n    extra = [\n        '/opt/google/chrome/chrome',\n        '/usr/bin/google-chrome',\n        '/usr/bin/google-chrome-stable',\n        '/snap/bin/chromium',\n        '/usr/bin/chromium-browser',\n        '/usr/bin/chromium',\n    ]\n    for p in extra:\n        if os.path.exists(p) and p not in found:\n            found.append(p)\n    return found\n\ndef get_version_from_binary(path):\n    out = run_cmd([path, '--version'])\n    v = parse_version(out)\n    if v:\n        return v, out\n    return None, out\n\ndef get_version_windows_registry():\n    reg_paths = [\n        r'HKLM\\Software\\Google\\Chrome\\BLBeacon',\n        r'HKLM\\Software\\WOW6432Node\\Google\\Chrome\\BLBeacon',\n        r'HKCU\\Software\\Google\\Chrome\\BLBeacon',\n    ]\n    for reg_path in reg_paths:\n        out = run_cmd(['reg', 'query', reg_path, '/v', 'version'])\n        v = parse_version(out)\n        if v:\n            return v, out\n    return None, ''\n\ndef check_installs():\n    system = platform.system().lower()\n    seen = []\n\n    if system == 'windows':\n        reg_v, reg_raw = get_version_windows_registry()\n        if reg_v:\n            seen.append(('registry', reg_v, reg_raw))\n        for p in candidates_windows():\n            v, raw = get_version_from_binary(p)\n            if v:\n                seen.append((p, v, raw))\n    elif system == 'darwin':\n        for p in candidates_macos():\n            v, raw = get_version_from_binary(p)\n            if v:\n                seen.append((p, v, raw))\n    else:\n        for p in candidates_linux():\n            v, raw = get_version_from_binary(p)\n            if v:\n                seen.append((p, v, raw))\n\n    unique = {}\n    for loc, v, raw in seen:\n        unique[(loc, v)] = raw\n\n    if not unique:\n        print('UNKNOWN: Google Chrome version could not be determined on this host.')\n        sys.exit(2)\n\n    vulnerable = []\n    patched = []\n    for (loc, v), raw in unique.items():\n        if v < FIXED_VERSION:\n            vulnerable.append((loc, v))\n        else:\n            patched.append((loc, v))\n\n    if vulnerable:\n        details = '; '.join(f'{loc}={version_str(v)}' for loc, v in vulnerable)\n        print(f'VULNERABLE: found Chrome/Chromium build(s) below {version_str(FIXED_VERSION)} -> {details}')\n        sys.exit(1)\n\n    details = '; '.join(f'{loc}={version_str(v)}' for loc, v in patched)\n    print(f'PATCHED: all detected Chrome/Chromium build(s) are at or above {version_str(FIXED_VERSION)} -> {details}')\n    sys.exit(0)\n\nif __name__ == '__main__':\n    check_installs()\n
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not treat this like a perimeter emergency, but do use your browser inventory to find Chrome endpoints still below 149.0.7827.53 and clean up update drift. Because the reassessed verdict is MEDIUM, there is noisgate mitigation SLA — go straight to the 365-day remediation window for the actual browser update, while applying lightweight hardening such as extension allowlisting and hostile-network controls where easy; in other words, no special mitigation clock, but finish the vendor patch inside the noisgate remediation SLA of 365 days.

Sources

  1. Chrome Releases: Early Stable Update for Desktop
  2. Chrome Releases blog index
  3. Chrome for Testing availability dashboard
  4. CISA Known Exploited Vulnerabilities JSON feed
  5. FIRST EPSS API query for CVE-2026-11269
  6. MITRE CWE-829
  7. FIRST CVSS v3.1 specification
  8. Chrome Enterprise previous release notes
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.