How is CVE-2026-11170 exploited?

Network reachability (required): The attacker must reach the Chromoting service over the network; no local access or physical presence is needed. Authentication (not-required): No credentials or prior account access are needed to initiate the attack. Victim interaction (not-required): The exploit is delivered entirely via malicious network traffic and requires no action from a user on the target system. Attack complexity (info): Exploitation is non-trivial and depends on environmental factors such as race conditions, specific memory layout, or precise network timing that the attacker must engineer.

What is the impact of CVE-2026-11170?

A successful attacker reads any file or process memory accessible on the host, including credentials, session tokens, and private keys. The attacker writes to or modifies files and system state at the OS level, enabling persistence mechanisms or tampering with application data. The attacker can terminate processes or exhaust resources, crashing the Chrome remote desktop session or other services on the host. OS-level privilege escalation means the attacker is not confined to the browser sandbox and can affect the entire Linux host, not just the Chrome process.

Back to search

HIGHCVE-2026-11170Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11170: Inappropriate implementation in Chromoting in Google Chrome on Linux prior to 149

Inappropriate implementation in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium)

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

An inappropriate implementation flaw in the Chromoting component (Google's remote desktop feature) of Google Chrome on Linux allows a remote attacker to escalate privileges to the OS level. The vulnerability is reachable over the network with no authentication required, though exploitation involves elevated complexity due to environmental or timing conditions the attacker must satisfy. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability on the affected host. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11170 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome on Linux base layers.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH (CVSS v3.1) and surfaces it accordingly in each customer's triage queue, with per-environment compliance policy weighting applied to prioritize it relative to other open findings and route it to the appropriate team inbox.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Chromoting service over the network; no local access or physical presence is needed.
AuthenticationNot required
No credentials or prior account access are needed to initiate the attack.
Victim interactionNot required
The exploit is delivered entirely via malicious network traffic and requires no action from a user on the target system.
Attack complexityDetail
Exploitation is non-trivial and depends on environmental factors such as race conditions, specific memory layout, or precise network timing that the attacker must engineer.

Blast Radius

A successful attacker reads any file or process memory accessible on the host, including credentials, session tokens, and private keys.
The attacker writes to or modifies files and system state at the OS level, enabling persistence mechanisms or tampering with application data.
The attacker can terminate processes or exhaust resources, crashing the Chrome remote desktop session or other services on the host.
OS-level privilege escalation means the attacker is not confined to the browser sandbox and can affect the entire Linux host, not just the Chrome process.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome on Linux are matched against CVE-2026-11170 at ingest time, and a rebuild at the fixed version 149.0.7827.53 is ready for any environment where an affected image is identified. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, runs regression tests, and opens a pull request against affected workloads automatically; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and associated diff are staged and waiting for reviewer sign-off. Given the HIGH severity and zero-authentication network attack surface, treating this as urgent and applying the patch at the earliest available maintenance window is advisable for any environment that exposes Chromoting or runs Chrome on Linux hosts.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available