01 · The Real Story
This is a sharp edge buried inside an optional browser convenience feature, not a front-door lock blown off the hinges
CVE-2026-11301 is an out-of-bounds read / memory access issue in Chrome Live Caption. It affects Google Chrome before 149.0.7827.53; Google shipped fixes as 149.0.7827.53 for Linux and 149.0.7827.53/54 for Windows and macOS. The trigger condition is not just “user opens Chrome” — the bug sits in the Live Caption path and requires attacker-controlled content to be processed by that feature.
The vendor-side 8.8/HIGH rating is too abstract for patch triage at fleet scale. In practice this is a client-side, user-assisted, feature-gated, read-oriented memory bug with no KEV entry, no public exploitation evidence, no public PoC surfaced, and a tiny EPSS score; Google’s own Chrome advisory classifies it as Low. That combination pushes this well below the emergency patch bucket.
"This is a niche browser bug, not an enterprise fire drill."
02 · The Attack Path
3 steps from start to impact.
STEP 01
Get the target into Live Caption code
The attacker needs a victim to browse to, or otherwise consume, attacker-influenced content that causes Chrome to process media through the Live Caption feature. This is not a server-side reachability problem; it is a user-session problem inside the browser.
Conditions required:
- Target is running Chrome prior to 149.0.7827.53
- Victim uses Chrome interactively
- Attacker can deliver or influence media/network content the user consumes
Where this breaks in practice:
- Requires user interaction, not unauthenticated drive-by service exposure
- Corporate browsing controls, safe browsing, URL filtering, and mail/web gateways remove a chunk of delivery paths
- Many users never meaningfully exercise Live Caption paths during normal work
Detection/coverage: Detection is mostly version-based. Network scanners will not see this; browser extension/asset inventory and EDR software inventory are the useful controls.
STEP 02
Trigger malformed processing inside Live Caption
If the victim reaches the vulnerable path, malformed input can drive an out-of-bounds memory access/read in Live Caption. The official wording does not claim code execution; it describes a potential out-of-bounds memory access via malicious network traffic.
Conditions required:
- Live Caption processing path is actually invoked
- Attacker-crafted content reaches the vulnerable parser/handler intact
Where this breaks in practice:
- Feature-gated attack surface sharply narrows reachable population
- Out-of-bounds read/access is a weaker primitive than a clean write/UAF-to-RCE path
- Chrome hardening and process isolation reduce reliability of turning a read into meaningful compromise
Detection/coverage: Expect poor signature coverage. At best, EDR may catch a browser crash or anomalous process behavior after exploitation attempts; most scanners can only say 'vulnerable version present'.
STEP 03
Convert memory access into something useful
To matter operationally, the attacker would need to turn that memory access into an information leak, crash, or chain component. There is no public evidence yet that this CVE alone provides stable sandbox escape or OS-level execution.
Conditions required:
- The memory access produces controllable or useful leakage/crash behavior
- Attacker can iterate enough to make the primitive reliable
- Potentially, a second bug is available if the goal is full compromise
Where this breaks in practice:
- No public exploit chain or field exploitation has been reported
- Client-side memory bugs often die at the 'reliable weaponization' stage
- Blast radius is per-user browser session, not whole-enterprise service compromise
Detection/coverage: If chained, downstream browser crashes, unusual renderer behavior, or suspicious child-process patterns may show up in EDR. There is no strong CVE-specific network IOC set.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No known active exploitation in the sources reviewed. CISA KEV does not list this CVE, and Google did not flag it as exploited in the release notes. |
|---|---|
| Public exploit / PoC | No public PoC found in current searches. The Chromium bug remains referenced, but practical exploit material is not publicly surfaced. |
| EPSS | 0.00068 from the user intel block — effectively cold. I could not directly confirm the percentile from FIRST in the current fetch, but this score sits in the *very low likelihood* band. |
| KEV | Not KEV-listed as of 2026-06-05 review time. |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H maps to remote, no auth, but user interaction required. The rating assumes worst-case impact if the bug is exploitable; it does not account for Live Caption reachability friction. |
| Chromium-native severity | Google/Chromium labels it Low: Low CVE-2026-11301: Out of bounds read in LiveCaption. |
| Affected versions | Google Chrome before 149.0.7827.53. Platform packaging differs slightly, but anything older than the fixed 149 train should be treated as exposed. |
| Fixed versions | 149.0.7827.53 (Linux) and 149.0.7827.53/54 (Windows/macOS) per Google's June 2, 2026 stable release. Distro-packaged Chromium backports, if any, must be validated by the distro advisory rather than upstream numbering. |
| Scanning / exposure reality | This is a client-side browser feature bug, so Shodan/Censys/FOFA-style internet exposure counts are not decision-useful. Reachability is driven by user browsing behavior and whether Live Caption is exercised, not by open ports. |
| Disclosure / reporter | Disclosed 2026-06-05. Chrome release notes say it was reported by Google on 2026-04-19. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (3.8/10)
The decisive factor is reachability: this bug lives behind a user-driven, client-side, Live Caption-specific code path, not a broadly exposed enterprise service. Add the lack of KEV activity, lack of public PoC, and the fact that the disclosed primitive is an out-of-bounds read/access rather than a demonstrated RCE chain, and this falls out of the urgent bucket.
HIGH Version range and official Chrome severity metadata
MEDIUM Assessment that real-world reachable population is much narrower than generic browser CVSS implies
MEDIUM No-public-PoC / no-active-exploitation conclusion based on current-source review
Why this verdict
- Vendor baseline is overstated for ops triage: the 8.8 score comes from a generic browser CVSS view that treats worst-case impact as if every target is equally reachable.
- Feature-gated attack surface: exploitation depends on the Live Caption path being exercised, which is a much smaller slice of enterprise Chrome usage than 'browser installed somewhere'.
- User interaction is mandatory: this is not unauthenticated remote service exploitation; the attacker needs a user session and content delivery path.
- Primitive is weaker than the label suggests: the disclosed issue is an out-of-bounds read/access, not a published sandbox escape or OS-level code execution path.
- Threat intel is cold: no KEV listing, no Google note about in-the-wild abuse, no public PoC found, and EPSS is near zero.
Why not higher?
If this were a renderer-to-RCE or sandbox-escape bug with broad reachability, the browser footprint alone would justify a much higher call. But the practical chain here is narrowed by feature use, user interaction, and the absence of evidence that the disclosed memory access turns into reliable, meaningful compromise on its own.
Why not lower?
It is still a remote-content-triggered memory-safety flaw in one of the most widely deployed desktop applications in the enterprise. Even low-probability browser bugs deserve normal hygiene because stale browser fleets are how low-end bugs become useful chain components later.
05 · Compensating Control
What to do — in priority order.
- Enforce Chrome auto-update health — Make sure endpoints are actually receiving the stable 149 train and that pinned or broken-update hosts are visible in inventory. For a LOW verdict there is no SLA; treat this as backlog hygiene and fold it into your normal browser currency checks.
- Disable Live Caption where not needed — If you manage accessibility features by policy and the business does not require Live Caption, reducing exposure to the vulnerable code path is a sensible temporary control. For a LOW verdict there is no SLA; use it selectively on high-risk or tightly controlled populations rather than as a fleet-wide panic move.
- Hunt pinned browser versions — Focus on kiosks, VDI gold images, developer workstations with frozen packages, and systems that miss consumer-style browser updates. For a LOW verdict there is no SLA; clean these up in the next routine browser maintenance wave.
- Use browser version compliance as the detector — This CVE is better managed through software inventory than exploit detection. For a LOW verdict there is no SLA; keep a standing control that flags Chrome versions older than the fixed build.
What doesn't work
- A WAF will not save you here; this is a client-side browser parsing path, not a server endpoint you can normalize at the perimeter.
- Port-scanning exposure dashboards are mostly irrelevant; Chrome desktops are not internet-exposed in a way that maps to this bug.
- MFA is unrelated; the exploit path does not depend on account takeover or interactive authentication.
06 · Verification
Crowdsourced verification payload.
Run this on the target endpoint or through your RMM/EDR live response, not from an auditor workstation. Invoke it with python3 check_cve_2026_11301.py or python check_cve_2026_11301.py; standard user rights are usually enough because it only reads app/version metadata. Optional: python3 check_cve_2026_11301.py --path "/path/to/chrome" to force a specific binary.
#!/usr/bin/env python3
# check_cve_2026_11301.py
# Detect whether local Google Chrome is vulnerable to CVE-2026-11301
# Outputs: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
import os
import re
import sys
import platform
import subprocess
FIXED = (149, 0, 7827, 53)
def parse_version(text):
m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text or '')
if not m:
return None
return tuple(int(x) for x in m.groups())
def version_to_str(v):
return '.'.join(str(x) for x in v)
def cmp_ver(a, b):
return (a > b) - (a < b)
def run_cmd(cmd):
try:
out = subprocess.check_output(cmd, stderr=subprocess.STDOUT, text=True)
return out.strip()
except Exception:
return None
def check_explicit_path(path):
if not path or not os.path.exists(path):
return None
out = run_cmd([path, '--version'])
if out:
v = parse_version(out)
if v:
return ('explicit-path', v)
return None
def check_windows():
try:
import winreg
except Exception:
winreg = None
if winreg:
keys = [
(winreg.HKEY_CURRENT_USER, r'Software\Google\Chrome\BLBeacon'),
(winreg.HKEY_LOCAL_MACHINE, r'Software\Google\Chrome\BLBeacon'),
(winreg.HKEY_LOCAL_MACHINE, r'Software\WOW6432Node\Google\Chrome\BLBeacon'),
]
for hive, path in keys:
try:
with winreg.OpenKey(hive, path) as k:
version, _ = winreg.QueryValueEx(k, 'version')
v = parse_version(version)
if v:
return ('registry', v)
except Exception:
pass
candidates = [
os.path.expandvars(r'%ProgramFiles%\Google\Chrome\Application\chrome.exe'),
os.path.expandvars(r'%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe'),
os.path.expandvars(r'%LocalAppData%\Google\Chrome\Application\chrome.exe'),
]
for p in candidates:
if p and os.path.exists(p):
out = run_cmd([p, '--version'])
v = parse_version(out or '')
if v:
return ('binary', v)
return None
def check_macos():
candidates = [
'/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),
]
for p in candidates:
if os.path.exists(p):
out = run_cmd([p, '--version'])
v = parse_version(out or '')
if v:
return ('binary', v)
plist_candidates = [
'/Applications/Google Chrome.app/Contents/Info.plist',
os.path.expanduser('~/Applications/Google Chrome.app/Contents/Info.plist'),
]
for p in plist_candidates:
if os.path.exists(p):
out = run_cmd(['/usr/bin/defaults', 'read', p.replace('/Contents/Info.plist', ''), 'CFBundleShortVersionString'])
v = parse_version(out or '')
if v:
return ('plist', v)
return None
def check_linux():
cmds = [
['google-chrome', '--version'],
['google-chrome-stable', '--version'],
['/opt/google/chrome/chrome', '--version'],
['/usr/bin/google-chrome', '--version'],
['/usr/bin/google-chrome-stable', '--version'],
]
for cmd in cmds:
out = run_cmd(cmd)
v = parse_version(out or '')
if v:
return ('command', v)
return None
def main():
explicit = None
if len(sys.argv) >= 3 and sys.argv[1] == '--path':
explicit = sys.argv[2]
result = check_explicit_path(explicit)
if not result:
print('UNKNOWN - Could not read version from explicit path: {}'.format(explicit))
sys.exit(2)
else:
result = None
if not result:
system = platform.system().lower()
if 'windows' in system:
result = check_windows()
elif 'darwin' in system:
result = check_macos()
elif 'linux' in system:
result = check_linux()
else:
print('UNKNOWN - Unsupported platform: {}'.format(platform.system()))
sys.exit(2)
if not result:
print('UNKNOWN - Google Chrome not found or version unreadable')
sys.exit(2)
source, version = result
fixed_str = version_to_str(FIXED)
found_str = version_to_str(version)
if cmp_ver(version, FIXED) < 0:
print('VULNERABLE - Chrome version {} detected via {}; fixed version is {} or later'.format(found_str, source, fixed_str))
sys.exit(1)
else:
print('PATCHED - Chrome version {} detected via {}; fixed version threshold is {}'.format(found_str, source, fixed_str))
sys.exit(0)
if __name__ == '__main__':
main()
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, do not burn an emergency change window on this one. There is no noisgate mitigation SLA and no noisgate remediation SLA for a LOW finding — treat it as backlog hygiene: verify that Chrome auto-update is healthy, identify endpoints still below 149.0.7827.53, and fold them into your normal browser refresh cycle; if you have a small set of high-control endpoints with Live Caption enabled or pinned browser builds, clean those up first, but this is still routine maintenance rather than incident-speed patching.
Sources
- NVD entry for CVE-2026-11301
- Google Chrome stable channel update for Desktop - June 2, 2026
- CISA Known Exploited Vulnerabilities Catalog
- Canadian Centre for Cyber Security advisory AV26-544
- Chromium fix reference / commit mentioning issue 504180386
- VulDB summary for CVE-2026-11301
- SecurityWeek coverage of Chrome 149 release
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.