Skip to main content

Google Chrome CVE-2026-11229

| EUVDEUVD-2026-34690 MEDIUM
Improper Privilege Management (CWE-269)
2026-06-04 chrome-cve-admin@google.com GHSA-9wx5-rmpr-qj4p
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
6.6 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
CVSS changed
Jun 06, 2026 - 12:22 NVD
4.6 (MEDIUM) 6.1 (MEDIUM)
Analysis Generated
Jun 05, 2026 - 15:37 vuln.today
CVSS changed
Jun 05, 2026 - 15:22 NVD
4.6 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 4.6
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Inappropriate implementation in Enterprise in Google Chrome prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via physical access to the device. (Chromium security severity: Low)

AnalysisAI

Privilege escalation in Google Chrome's Enterprise feature (versions prior to 149.0.7827.53) allows a local attacker with physical device access to elevate privileges and access confidential information. The CVSS vector (AV:P/C:H) confirms the attack requires hands-on physical access to the target device, limiting the realistic threat surface to scenarios such as unattended or shared managed endpoints. No public exploit exists and no active exploitation has been identified at time of analysis; EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' align with the low overall risk posture.

Technical ContextAI

The vulnerability stems from CWE-269 (Improper Privilege Management) within Chrome's Enterprise management implementation. Chrome Enterprise allows IT administrators to enforce device-level and browser-level policies on managed endpoints, typically via Group Policy (Windows), MDM profiles (macOS/iOS/ChromeOS), or the Chrome Browser Cloud Management service. An 'inappropriate implementation' in this layer suggests that a locally-present attacker can abuse the Enterprise policy framework, a privileged code path, or a managed configuration mechanism to gain elevated access beyond what should be permitted. The CVSS physical attack vector (AV:P) confirms exploitation cannot occur remotely - direct physical interaction with the device is mandatory. Affected CPE/version range per EUVD: Chrome versions below 149.0.7827.53.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released patch for this issue. The stable channel update advisory is published at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. For enterprise-managed deployments, administrators should push the update via their MDM, Group Policy, or Chrome Browser Cloud Management console and verify all managed endpoints have applied the update. As a compensating control where immediate patching is not possible, organizations should enforce physical access controls on managed devices (screen lock policies, full-disk encryption, and device-level authentication) to limit the physical attack surface. Disabling or restricting unnecessary Enterprise policy features through the admin console may reduce the exploitable attack surface, though specific policy controls depend on deployment configuration and carry the trade-off of reducing management capability.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy