HIGH 7.8

CVE-2026-11103: Chrome Installer Privilege Escalation on Windows

A flaw in Google Chrome's installer on Windows allows a local attacker to gain administrative privileges on a computer by tricking a user into opening a malicious file. The vulnerability exists in how the installer validates and processes files during installation or updates. While Chrome itself is a web browser, this weakness targets the installation mechanism—the software that sets up Chrome on your system—making it a local privilege escalation risk rather than a remote internet-based attack.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-269
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Installer in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11103 is a privilege escalation vulnerability in the Chrome Installer component affecting Windows systems running Google Chrome prior to version 149.0.7827.53. The root cause is improper implementation in the installer's file handling logic, classified under CWE-269 (Improper Access Control). The vulnerability requires local code execution and user interaction (opening a malicious file) but does not require the attacker to have pre-existing privileges. Once triggered, an unprivileged user can escalate to OS-level administrative rights. The CVSS 3.1 score of 7.8 (HIGH severity) reflects the high confidentiality, integrity, and availability impact across the system, though attack complexity is low and privilege requirements are none.

Business impact

For organizations deploying Chrome across Windows endpoints, this vulnerability creates a lateral movement and persistence risk. An attacker who gains initial access as a low-privileged user—via phishing, malware delivery, or supply chain compromise—could weaponize this flaw to obtain system-level control without interaction from a system administrator. This elevation enables endpoint compromise, credential theft, malware installation, and lateral network movement. Unpatched Windows Chrome installations become high-value targets for both opportunistic and targeted attacks. The impact is particularly acute in environments where Chrome is used alongside sensitive workflows and where endpoint segmentation relies on user-level privilege boundaries.

Affected systems

Google Chrome on Microsoft Windows is the affected product family. Any installation prior to version 149.0.7827.53 is vulnerable. Both standalone Chrome installations and those distributed through enterprise deployment mechanisms are in scope. The vulnerability does not affect Chrome on macOS, Linux, or other operating systems; it is Windows-specific due to the installer implementation differences. Organizations should verify their deployed Chrome versions and Windows patch levels in their asset inventory.

Exploitability

The attack is locally exploitable with low complexity: no special system configuration or unusual user behavior is required beyond the user opening a malicious file. The attacker does not need existing system access—any local user can trigger the vulnerability. However, exploitation does require user interaction (file opening), which slightly reduces real-world exploitability compared to a purely remote, no-interaction attack. Given the prevalence of phishing and social engineering, this friction is often surmountable. The vulnerability has not been designated for inclusion in the CISA KEV catalog as of the last data update, but local privilege escalation flaws of this severity frequently become preferred post-compromise tactics and should be monitored for public exploit availability.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all Windows systems. Chrome typically updates automatically, but in enterprise environments with managed deployments, verify that the latest version has been pushed to endpoints. For organizations using group policy or mobile device management (MDM) to control Chrome updates, confirm that update policies are not blocking the patched version. No configuration workarounds are available; patching is the only mitigation. Uninstall and reinstall Chrome if automatic updates fail.

Patch guidance

Deploy Chrome version 149.0.7827.53 or later across all Windows endpoints. Verify deployment through Chrome's built-in update mechanism (Settings > About > Google Chrome) or your enterprise deployment tool. Test the patched version in a pilot group of endpoints before full rollout to ensure compatibility with critical line-of-business applications that depend on Chrome. For organizations using Chrome Enterprise, confirm that the update has been approved and published in your managed deployment channel. Monitor Chrome version compliance through your endpoint management console to identify and remediate any machines still running vulnerable versions.

Detection guidance

Check running Chrome processes and the 'About Chrome' menu to verify installed version numbers. Look for version strings earlier than 149.0.7827.53. Endpoint Detection and Response (EDR) tools should flag attempts to manipulate installer files, particularly suspicious modifications to Chrome installation directories or use of installer components outside of the normal update flow. Monitor for unusual privilege escalation events following Chrome file interactions. Network-based detection is limited since the attack is purely local; focus on endpoint telemetry. Log analysis should capture process creation events where Chrome processes or installer processes spawn child processes with elevated privileges or access tokens.

Why prioritize this

Although not yet listed on the CISA KEV catalog, this is a local privilege escalation affecting a ubiquitous Windows application with high business impact. The combination of low attack complexity, no privilege requirement, and high confidentiality/integrity/availability impact makes it an attractive post-compromise tactic for attackers. Organizations should prioritize patching based on the criticality of the affected endpoints and the sensitivity of data they can access once compromised. Systems used by administrators, developers, or for sensitive tasks warrant priority patching. The attack surface is broad: any user with file-opening capability can trigger it.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector with no privilege requirement and low complexity, paired with full system impact. While the attack requires user interaction (opening a file), this is a low friction requirement in real-world scenarios given phishing prevalence. The severity is driven by the ability to escalate from user to system level, enabling complete endpoint compromise and lateral movement. The score appropriately characterizes the risk to Windows-based organizations; remediation through patching is straightforward and should be prioritized accordingly.

Frequently asked questions

Does this vulnerability affect Chrome on non-Windows systems?

No. CVE-2026-11103 is specific to the Chrome Installer component on Windows. macOS, Linux, and other platforms are not affected. However, organizations running Chrome across mixed operating systems should verify the version status on each platform and apply any relevant patches for those systems separately.

Will Chrome's automatic update feature patch this on its own?

In most cases, yes. Chrome includes an automatic update mechanism that checks for and installs patches without user intervention. However, users should verify their Chrome version by navigating to Settings > About > Google Chrome to confirm they are on version 149.0.7827.53 or later. In enterprise environments with managed update policies, confirm that your deployment configuration permits the patched version.

What should I do if I find machines still running vulnerable versions?

Prioritize patching based on the sensitivity of the machine and data it can access. Immediately update Chrome to version 149.0.7827.53 or later. If automatic updates are disabled in your environment, manually trigger an update through the About menu or use your enterprise deployment tool. Simultaneously, increase monitoring of affected machines for signs of compromise, such as unexpected privilege escalation or new administrator accounts.

Is there a known public exploit for this vulnerability?

As of the last update, CVE-2026-11103 has not been designated for the CISA KEV catalog, suggesting no widely available weaponized exploit has been disclosed at scale. However, organizations should assume that security researchers and threat actors understand the vulnerability and may develop exploits. Patching should not be delayed based on the absence of a public proof-of-concept.

This analysis is provided for informational purposes and should not be considered a substitute for direct consultation with your organization's security, infrastructure, and legal teams. Patch testing and deployment should follow your organization's change management and testing procedures. While we have taken care to present accurate information based on available source data, vulnerabilities evolve and vendor advisories may be updated. Refer to Google's official security advisories and Microsoft's Windows security resources for the latest guidance. Organizations are responsible for assessing the applicability of this vulnerability to their environment and determining their own patch and mitigation timelines. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).