How is CVE-2026-11092 exploited?

Network reachability (required): The attacker must reach the victim over the network, delivering the malicious extension via a web-based or network-accessible distribution channel. Authentication (not-required): No authentication or account credentials are needed; the attacker interacts with the victim directly without any privileged access to the target system. Victim interaction (required): The attack requires social engineering: the victim must be convinced to install a crafted malicious Chrome extension for the exploit to proceed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-11092?

A successful attacker reads confidential browser data, including stored credentials, session tokens, and browsing history accessible to the extension context. A successful attacker modifies browser state and persisted data, including altering page content, injecting scripts into visited pages, and tampering with stored extension or application data. A successful attacker can crash or disrupt the Chrome process, causing loss of availability for the affected user session. Privilege escalation via the DevTools policy bypass may allow the extension to operate outside its declared permission scope, broadening access beyond what the user consented to grant.

Back to search

HIGHCVE-2026-11092Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11092: Insufficient policy enforcement in DevTools in Google Chrome prior to 149

Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient policy enforcement in the DevTools component of Google Chrome (versions prior to 149.0.7827.53) allows an attacker to escalate privileges by convincing a target user to install a malicious browser extension. The vulnerability is reachable over the network and requires no authentication, but does depend on victim interaction to complete the attack chain. Successful exploitation gives the attacker high-severity access to confidential data, the ability to modify data, and the ability to crash or disrupt the affected service. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11092 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and surfaces it through per-environment compliance policy weighting, routing findings to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network, delivering the malicious extension via a web-based or network-accessible distribution channel.
AuthenticationNot required
No authentication or account credentials are needed; the attacker interacts with the victim directly without any privileged access to the target system.
Victim interactionRequired
The attack requires social engineering: the victim must be convinced to install a crafted malicious Chrome extension for the exploit to proceed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

A successful attacker reads confidential browser data, including stored credentials, session tokens, and browsing history accessible to the extension context.
A successful attacker modifies browser state and persisted data, including altering page content, injecting scripts into visited pages, and tampering with stored extension or application data.
A successful attacker can crash or disrupt the Chrome process, causing loss of availability for the affected user session.
Privilege escalation via the DevTools policy bypass may allow the extension to operate outside its declared permission scope, broadening access beyond what the user consented to grant.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11092 is active across all connected registries and pipelines, matching any image that packages Chrome or Chromium below version 149.0.7827.53. For environments where an affected version is identified, a rebuilt image at the patched version 149.0.7827.53 is available. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is surfaced in the customer dashboard with a direct link to the fix version and guidance on verifying that Chrome packages in base images or installed layers are updated before the next deployment.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available