← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11283 · CWE-20 · Disclosed 2026-06-05

Insufficient validation of untrusted input in Shortcuts in Google Chrome on Mac prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a side door into one hallway, not a master key to the building

CVE-2026-11283 is a navigation-restriction bypass in Chrome's Shortcuts handling on macOS before 149.0.7827.53. The public description says a remote attacker can use a malicious file to make vulnerable Chrome on Mac bypass intended navigation limits; this is not described as code execution, sandbox escape, or data theft on its own.

Google's vendor CVSS of 6.5 / MEDIUM overstates the operational urgency for enterprise patching. In the real world this chain is narrowed by platform scope (Mac only), delivery mode (malicious file, not clean drive-by HTML), required user interaction, and impact limited to browser policy/navigation integrity rather than full host compromise.

"Mac-only, file-driven, user-assisted browser logic bug with no exploitation signal: patch it, but don't drop everything."
02 · The Attack Path

3 steps from start to impact.

STEP 01

Deliver a malicious file

The attacker first needs to place a crafted file in front of the user, typically by email, chat, cloud share, or a download lure. This is a client-side delivery problem, not an internet-facing service exposure problem, so the attacker must win user engagement before the bug matters.
Conditions required:
  • Target uses Chrome on macOS
  • Attacker can deliver or entice download of a crafted file
  • User is willing to open or interact with that file
Where this breaks in practice:
  • Mail gateways, browser download warnings, and macOS quarantine reduce open rates
  • Enterprise users on managed Macs are a subset of the total Chrome population
  • This is not a blind scan-and-own bug
Detection/coverage: Network scanners will not find this. Coverage is mostly in email/web download telemetry, file-quarantine events, and browser version inventory.
STEP 02

Trigger the Shortcuts validation flaw

Once the file is opened in the vulnerable workflow, Chrome's Shortcuts component insufficiently validates untrusted input. That lets the crafted content bypass navigation restrictions that should have constrained where or how the browser can navigate.
Conditions required:
  • Chrome version is below 149.0.7827.53
  • The vulnerable Shortcuts code path is reached on macOS
  • The crafted file format survives delivery intact
Where this breaks in practice:
  • Bug details are still restricted in Chromium issue tracking
  • The exact trigger path appears platform-specific to macOS
  • Any change in file association or workflow can break exploit reliability
Detection/coverage: Exploit-detection coverage is weak; most tooling will only tell you whether the version is vulnerable, not whether exploitation occurred.
STEP 03

Abuse the navigation bypass for follow-on deception

The likely value to an attacker is to weaken browser navigation controls so they can redirect or present content in ways Chrome intended to block. That can support phishing, trust-boundary confusion, or policy bypass inside the browser, but the public record does not show direct OS code execution or privileged escape from this CVE alone.
Conditions required:
  • The attacker has a useful follow-on destination or content flow
  • The user continues interacting after the bypass
  • Enterprise controls do not stop the follow-on site or content
Where this breaks in practice:
  • Impact is bounded to integrity of browser behavior, not full host takeover
  • Modern DNS/web filtering can still block malicious destinations
  • No public in-the-wild reporting suggests mature offensive use
Detection/coverage: Look for suspicious download-origin + file-open chains followed by unexpected browser navigations, but expect low-fidelity analytics.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo evidence of active exploitation located in public sources reviewed; not listed in CISA KEV.
PoC availabilityNo public PoC found. The associated Chromium issue is still restricted, which usually slows opportunistic weaponization.
EPSS0.0002 from the user-supplied intel, which is effectively negligible and consistent with low attacker interest.
KEV statusNot KEV-listed as of the reviewed CISA catalog.
CVSS vector readoutAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N says remote and low-complexity, but the decisive real-world limiter is UI:R plus malicious-file delivery; that's a narrower path than typical web-triggered browser bugs.
Affected versionsGoogle Chrome on macOS prior to 149.0.7827.53.
Fixed version149.0.7827.53/54 for Windows/Mac rollout, with the Mac-fixed floor explicitly including 149.0.7827.53 in the vendor release notes.
Exposure/scanning realityNot meaningfully internet-enumerable. Shodan/Censys/FOFA-style exposure counting does not help because this is a client-side browser flaw, not a remotely fingerprintable server service.
Disclosure timingVendor stable release posted 2026-06-02; user-supplied disclosure date is 2026-06-05.
ReporterVendor notes show it was reported by Google on 2026-04-13, not an external researcher with a bounty listing.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.2/10)

The single biggest downgrade factor is that this bug needs a malicious file plus user interaction on macOS, which sharply narrows both attacker reach and exposed population. On top of that, the public impact is a browser navigation-policy bypass, not host compromise, and there is no active exploitation signal.

HIGH Reachability is materially limited by Mac-only + malicious-file + user-interaction prerequisites
MEDIUM Exact blast radius after successful trigger, because Chromium bug details remain restricted

Why this verdict

  • Mac-only scope cuts the population hard: this is not a Windows/Linux fleet event, so large mixed-platform estates should expect materially lower affected-host counts than the raw Chrome install base suggests.
  • Delivery requires a malicious file and user action: that implies phishing, download lure, or similar pretext. This is downward pressure because the attacker is not simply landing code from a normal webpage visit.
  • Impact is integrity-limited: the public description is navigation restriction bypass, not RCE, sandbox escape, credential theft, or arbitrary file read by itself.
  • No exploitation heat: not in KEV, no public PoC located, and the supplied EPSS of 0.0002 is near noise floor.
  • Vendor baseline looks vacuum-scored: the 6.5 MEDIUM mostly reflects a generic remote+UI-required integrity issue, but it does not adequately price in platform narrowing and client-side delivery friction.

Why not higher?

This does not present as an internet-facing, unauthenticated, one-click web exploit with broad fleet reach. The absence of code-execution impact, combined with Mac-only targeting and malicious-file delivery, keeps it well below a modern enterprise HIGH threshold.

Why not lower?

It is still a real trust-boundary failure in a heavily deployed browser, and remote attackers can plausibly chain it into phishing or browser-deception workflows. If you run a sizeable managed Mac population, it deserves routine patching and inventory attention rather than being dismissed outright.

05 · Compensating Control

What to do — in priority order.

  1. Force Chrome auto-update on managed Macs — Use your browser-management stack to keep macOS Chrome on 149.0.7827.53+. For a LOW verdict there is no SLA beyond backlog hygiene, so land this in the next normal browser-update wave rather than as an emergency change.
  2. Tighten risky file-delivery paths — Reduce successful trigger opportunities by blocking or warning on suspicious downloaded files from email, chat, and unmanaged cloud shares. Again, for LOW, treat this as backlog hygiene and fold it into your standard hardening cycle.
  3. Preserve download and quarantine telemetry — Make sure macOS quarantine attributes, EDR file-open telemetry, and browser download logs are retained so you can reconstruct any malicious-file delivery chain. This is useful for investigation even though it is not a priority emergency control for a LOW finding.
  4. Prioritize Mac browser inventory accuracy — Because this CVE is macOS-specific, accurate asset scoping is more valuable than broad panic patching. Treat version validation on managed Macs as routine hygiene and close the gap in the next standard reporting cycle.
What doesn't work
  • Perimeter vulnerability scanning doesn't help because this is a client-side browser issue, not a remotely exposed daemon.
  • WAF rules don't meaningfully mitigate a malicious-file trigger path on endpoints.
  • Linux or Windows patch urgency models overstate risk here; the bug's practical exposure is specifically Mac Chrome.
06 · Verification

Crowdsourced verification payload.

Run this on the target Mac endpoint as a normal user; admin rights are not required to read the app bundle version. Save as verify_cve_2026_11283.sh and run bash verify_cve_2026_11283.sh "/Applications/Google Chrome.app".

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/bin/bash
# verify_cve_2026_11283.sh
# Checks whether Google Chrome on macOS is below 149.0.7827.53
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

TARGET_VERSION="149.0.7827.53"
APP_PATH="${1:-/Applications/Google Chrome.app}"
PLIST="$APP_PATH/Contents/Info.plist"

compare_versions() {
  # returns 0 if equal, 1 if $1 > $2, 2 if $1 < $2
  local IFS=.
  local i
  local -a v1=($1) v2=($2)

  for ((i=${#v1[@]}; i<4; i++)); do v1[i]=0; done
  for ((i=${#v2[@]}; i<4; i++)); do v2[i]=0; done

  for i in 0 1 2 3; do
    if ((10#${v1[i]} > 10#${v2[i]})); then
      return 1
    elif ((10#${v1[i]} < 10#${v2[i]})); then
      return 2
    fi
  done
  return 0
}

if [[ "$(uname -s)" != "Darwin" ]]; then
  echo "UNKNOWN: This verification script is intended for macOS (Darwin)."
  exit 2
fi

if [[ ! -d "$APP_PATH" ]]; then
  echo "UNKNOWN: Chrome app not found at $APP_PATH"
  exit 2
fi

if [[ ! -f "$PLIST" ]]; then
  echo "UNKNOWN: Info.plist not found at $PLIST"
  exit 2
fi

INSTALLED_VERSION=$(/usr/bin/defaults read "$PLIST" CFBundleShortVersionString 2>/dev/null)

if [[ -z "$INSTALLED_VERSION" ]]; then
  echo "UNKNOWN: Could not read Chrome version from $PLIST"
  exit 2
fi

compare_versions "$INSTALLED_VERSION" "$TARGET_VERSION"
RESULT=$?

case $RESULT in
  2)
    echo "VULNERABLE: Chrome $INSTALLED_VERSION is below $TARGET_VERSION"
    exit 1
    ;;
  0|1)
    echo "PATCHED: Chrome $INSTALLED_VERSION is at or above $TARGET_VERSION"
    exit 0
    ;;
  *)
    echo "UNKNOWN: Version comparison failed"
    exit 2
    ;;
esac
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, scope your managed Mac fleet for Chrome versions below 149.0.7827.53, make sure auto-update policy is actually working, and let this ride in your normal browser patch ring unless you uncover internal abuse. For a LOW verdict there is no noisgate mitigation SLA and the noisgate remediation SLA treats this as backlog hygiene, so patch during the next standard browser maintenance window and document why it is not an emergency interrupt.

Sources

  1. Google Chrome Stable Channel Update for Desktop (Chrome 149)
  2. Chromium issue 502069297
  3. CISA Known Exploited Vulnerabilities Catalog
  4. FIRST EPSS API
  5. FIRST EPSS documentation
  6. CVE Alert snippet for CVE-2026-11283 description
  7. Chrome security page
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.