Skip to main content

Google Chrome CVE-2026-11189

| EUVDEUVD-2026-34650 MEDIUM
Improper Input Validation (CWE-20)
2026-06-04 chrome-cve-admin@google.com GHSA-3h77-7xw7-872m
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
8.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:30 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 6.5

DescriptionCVE.org

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)

AnalysisAI

Navigation restriction bypass in Google Chrome DevTools (all versions prior to 149.0.7827.53) enables circumvention of browser navigation controls through a crafted malicious Chrome Extension. Exploitation requires convincing a target user to install the malicious extension, placing this firmly in social-engineering territory rather than opportunistic mass exploitation. EPSS is extremely low at 0.02% (4th percentile), no public exploit code has been identified, and there is no CISA KEV listing, making this a moderate-priority integrity-only issue despite the CVSS 6.5 score.

Technical ContextAI

The vulnerability resides in Google Chrome's DevTools component - the suite of developer tools built into the browser that interfaces with extension APIs and internal browser mechanisms. The root cause is CWE-20 (Improper Input Validation): DevTools fails to sufficiently validate untrusted input originating from Chrome Extension contexts. Chrome Extensions interact with browser internals through privileged APIs; when a crafted extension supplies malformed or adversarial input to DevTools, the validation gap allows the extension to manipulate navigation restriction logic - controls that normally govern where the browser is permitted to navigate. Affected product per EUVD (EUVD-2026-34650) and NVD CPE data: Google Chrome < 149.0.7827.53 across all supported desktop platforms.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later immediately - this is the vendor-released patch confirmed by the Stable Channel Update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome auto-updates by default, so most consumer endpoints will receive the fix without manual intervention; verify update status via chrome://settings/help. As a compensating control for enterprise environments, deploy Chrome Enterprise policies to restrict extension installation: use ExtensionInstallBlocklist (*) combined with ExtensionInstallAllowlist to permit only approved extensions - this directly eliminates the attack's prerequisite (malicious extension installation) and is effective even on unpatched endpoints, though it adds operational overhead for managing the allowlist. Alternatively, ExtensionInstallSources can be locked to the Chrome Web Store only, reducing but not eliminating risk since Web Store review is not a perfect gate. Do not rely on user-level security awareness training alone as the primary control.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy