Skip to main content

Google Chrome CVE-2026-11190

| EUVDEUVD-2026-34651 MEDIUM
Improper Access Control (CWE-284)
2026-06-04 chrome-cve-admin@google.com GHSA-mwrr-5cxr-f22w
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
3.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:30 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 6.5
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium)

AnalysisAI

Discretionary access control bypass in Google Chrome's Extensions subsystem affects all versions prior to 149.0.7827.53, enabling integrity compromise without exposing confidential data. Exploitation requires convincing a target user to install a crafted malicious Chrome Extension, placing social engineering at the center of any attack path. No public exploit code exists and no active exploitation has been confirmed; EPSS sits at 0.01% (1st percentile), indicating very low observed exploitation probability at time of analysis.

Technical ContextAI

The vulnerability resides in the Chrome Extensions subsystem, which implements a sandboxed permission and capability model governing what browser extensions may access or modify. CWE-284 (Improper Access Control) identifies the root cause: the enforcement logic for discretionary access controls (DAC) - the mechanism by which Chrome restricts extension capabilities to declared, user-approved permissions - contains an inappropriate implementation that can be circumvented by a specially crafted extension manifest or API call sequence. The affected codebase is tracked under Chromium issue 503375371. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms: no authentication is required at the network level, complexity is low, but user interaction (installing the extension) is mandatory. Scope is unchanged, meaning exploitation is contained to the browser's own security context rather than crossing into the underlying OS.

RemediationAI

The primary fix is upgrading Google Chrome to version 149.0.7827.53 or later, confirmed as the patched release per the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism should deliver this to most users automatically; administrators managing enterprise deployments should verify the rollout via policy. As a compensating control pending patch deployment, organizations should enforce extension allow-listing through Chrome Enterprise policies (ExtensionInstallAllowlist / ExtensionInstallBlocklist), which prevents users from installing extensions not pre-approved by administrators - this directly eliminates the social engineering attack path and mitigates this vulnerability entirely. The trade-off of extension allow-listing is reduced user flexibility, but it is a broadly recommended security baseline regardless of this CVE. Blocking installation from outside the Chrome Web Store via policy (ExtensionInstallSources) provides a partial mitigation with less user friction.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy