CVE-2026-11143: Chrome Linux Extension Out-of-Bounds Read Memory Leak
Google Chrome on Linux contains an out-of-bounds memory read vulnerability affecting versions prior to 149.0.7827.53. The flaw resides in Chrome's extension handling mechanism and allows a malicious extension—installed by a user—to read sensitive data directly from the browser's process memory. An attacker would need to trick a user into installing the malicious extension, but once installed, the extension can harvest information like passwords, session tokens, or other in-memory secrets without triggering additional user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-122
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds read in Extensions in Google Chrome on Linux prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11143 is an out-of-bounds read (CWE-122) in Chrome's Extensions subsystem on Linux. The vulnerability permits a crafted extension to access memory regions outside its intended boundaries, potentially exfiltrating sensitive application state. The Chromium project assigned this a Medium security severity. The vector profile (CVSS 3.1: 6.5 Medium) reflects network-accessible attack surface, low complexity, no privilege requirement, and user interaction (extension installation) as the gating factor, with confidentiality impact as the primary concern.
Business impact
If exploited, this vulnerability enables credential theft and sensitive data exfiltration at scale. An attacker distributing a trojanized extension through official or third-party app stores could compromise user credentials, API keys, and session identifiers stored in Chrome's memory. For organizations where employees use Chrome with extensions for development, cloud access, or corporate collaboration tools, this represents a direct path to lateral movement and account compromise. The impact multiplies if the extension masquerades as a legitimate productivity tool.
Affected systems
Google Chrome on Linux running versions prior to 149.0.7827.53 are vulnerable. This includes all releases of Chrome, Chromium, and Chromium-based browsers (Edge, Brave, etc.) built from the affected Chromium codebase before the patch. The vulnerability is specific to Linux; Windows and macOS distributions were addressed separately. Any user who has installed a malicious extension remains at risk until both Chrome is updated and the extension is removed.
Exploitability
Exploitability requires successful social engineering to convince a user to install a malicious extension—a non-trivial hurdle in some environments but increasingly viable given the volume of extensions available and varying user security awareness. Once installed, exploitation is automatic and requires no further user action. The extension can silently exfiltrate memory contents on every page load or browser interaction. No authentication bypass or system privilege escalation is needed; the attack is entirely within the browser sandbox boundary.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all Linux systems. Concurrent with patching, audit installed extensions—particularly those from unfamiliar publishers, those requesting broad permissions, or those recently added to official stores. Users should verify extension legitimacy against official vendor documentation and consider disabling extensions not actively required. Organizations should enforce extension allow-lists via Chrome Enterprise Policies if browser centralized management is in place.
Patch guidance
Apply Chrome update 149.0.7827.53 (or later) via Settings > About Google Chrome on each Linux workstation; auto-update is the default for most deployments but should be verified in managed environments. Verify installation by navigating to chrome://version and confirming the version string. For Chromium-based browsers (Edge, Brave), apply the equivalent patched release from the respective vendor, as this flaw affects the shared Chromium codebase. Test in a lab environment first if deploying to critical systems to rule out extension compatibility issues.
Detection guidance
Monitor Chrome version strings across Linux endpoints using EDR or fleet management tools to identify systems still running pre-149.0.7827.53 releases. Log and alert on extension installation events, especially from unknown or low-reputation publishers. If available, inspect Chrome extension activity logs for unusual memory access patterns or unexpected data exfiltration. Network detection is difficult since the exfiltration occurs over normal HTTPS channels; focus on extension governance and version compliance. Correlate with user reports of unexpected credential resets or unauthorized account activity.
Why prioritize this
Although the CVSS score is Medium (6.5), the real-world risk is elevated by two factors: (1) ease of distribution through legitimate app stores with minimal verification, and (2) silent, non-detectable exploitation once the user installs the extension. Development and finance teams, where extensions are more commonly used for productivity and integrations, face disproportionate risk. The lack of KEV designation does not diminish urgency; in-the-wild exploitation is possible and social engineering is a known attack vector for extension deployment.
Risk score, explained
CVSS 3.1 base score of 6.5 (Medium) reflects: Attack Vector Network (installation can be prompted remotely), Attack Complexity Low (no special conditions needed), Privileges Required None (extension runs as user, not as elevated process), User Interaction Required (extension must be installed), Scope Unchanged, Confidentiality High (sensitive memory can be read), Integrity None, Availability None. The score appropriately penalizes the user interaction requirement but acknowledges the severity of unrestricted information disclosure once that hurdle is cleared.
Frequently asked questions
Can this vulnerability be exploited if the user never interacts with the malicious extension?
The extension must be installed, but once installed, the out-of-bounds read can be triggered automatically—for example, when the browser loads a page or when the extension's background script executes on a timer. The initial social engineering (convincing the user to install) is the barrier; subsequent exploitation does not require visible user action.
Are Windows and macOS versions of Chrome also vulnerable?
No. This CVE is specific to Chrome on Linux and the Linux kernel integration. Microsoft and Apple patched equivalent issues in their respective Chrome builds through separate releases. Verify the version number against your operating system's Chrome release notes to confirm coverage.
If I remove the malicious extension, am I immediately safe?
Removing the extension stops future exploitation, but you should assume data already in memory during the infection period may have been exfiltrated. Change credentials (passwords, API keys) that were likely in use during the compromised period, and monitor accounts for unauthorized access.
What should I look for when reviewing my installed extensions?
Prioritize extensions with broad permissions (especially 'read all data on the websites you visit'), extensions from unfamiliar or one-person publishers, and any extensions you do not actively use. Check the install date against your browsing history—if an extension appeared without your deliberate action, investigate further.
This analysis is provided for informational and defensive purposes. SEC.co does not condone or facilitate exploit development or unauthorized access to systems. Patch timelines and version numbers should be verified against official Google Chrome security advisories. Organizations should test patches in non-production environments before broad deployment to ensure compatibility with business applications and extensions. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10946HIGHChrome Heap Buffer Overflow in Media Processing—Patch Guidance
- CVE-2026-10949HIGHChrome Heap Overflow Sandbox Escape Vulnerability
- CVE-2026-11124HIGHCritical Chrome Skia Integer Overflow Allows Remote Code Execution
- CVE-2026-9926HIGHChrome ANGLE Heap Buffer Overflow Sandbox Escape
- CVE-2026-9939HIGHChrome WebCodecs Heap Buffer Overflow RCE – Patch Now
- CVE-2026-9940HIGHCritical Heap Buffer Overflow in Google Chrome ANGLE—Patch Guidance
- CVE-2026-10993MEDIUMChrome Skia Heap Buffer Overflow Allows Memory Information Disclosure
- CVE-2026-0059HIGHAndroid Heap Buffer Overflow in SDP Discovery – Remote Code Execution