HIGH 8.1

CVE-2026-11170: Chrome Chromoting Linux Privilege Escalation (CVSS 8.1)

Google Chrome on Linux contains a vulnerability in its Chromoting feature (the remote desktop capability) that allows an attacker on the network to gain administrative privileges on your system without needing to interact with you. The vulnerability exists in Chrome versions before 149.0.7827.53. While the Chromium project rates this as medium severity, the actual impact—unauthenticated remote privilege escalation—warrants a CVSS score of 8.1 (HIGH), reflecting the seriousness for Linux desktop environments where Chromoting might be enabled.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-693
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11170 is a privilege escalation vulnerability in Google Chrome's Chromoting implementation on Linux. The issue stems from inappropriate implementation (CWE-693: Improper Preservation of Security-Relevant Marks) that allows a remote attacker to escalate to OS-level privileges via crafted network traffic. The vulnerability requires network access but no user interaction or authentication, making it exploitable from across the network. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network-based attack delivery, high attack complexity (likely requiring specific system configuration), but high impact across confidentiality, integrity, and availability.

Business impact

For organizations using Chrome's Chromoting for remote support or administration on Linux systems, this vulnerability creates an unauthenticated remote takeover risk. An attacker could gain root-level access to affected Linux machines without credentials or user interaction, potentially leading to data theft, malware installation, lateral movement, or denial of service. This is particularly concerning for managed desktop environments, development teams, or support centers that rely on Chromoting for legitimate remote access. The vulnerability affects only Linux deployments; Windows and macOS Chrome versions are not impacted.

Affected systems

Google Chrome on Linux versions prior to 149.0.7827.53 are affected. This includes all Linux distributions running vulnerable Chrome releases. The Windows and macOS versions of Chrome are not vulnerable. The Linux kernel itself is listed in vendor-product data but is not the vector; rather, this is a Chrome-on-Linux issue. Systems with Chromoting disabled are not at risk from network-based attacks, though the vulnerability exists in the binary.

Exploitability

While no public exploit or KEV (Known Exploited Vulnerability) status has been confirmed, the attack surface is network-accessible and requires no user interaction. The high attack complexity (AC:H) suggests that the attacker must meet specific conditions—possibly related to how Chromoting is configured, the user's Chrome profile settings, or network topology—but once those conditions are met, exploitation does not depend on user action. Organizations should assume this will be exploited once techniques become widely known.

Remediation

Upgrade Google Chrome on all Linux systems to version 149.0.7827.53 or later. Verify the update is applied by checking Chrome's About page (chrome://about) or running 'google-chrome --version' from the command line. For organizations unable to upgrade immediately, disable Chromoting if it is not essential (Settings > Advanced > System > Chromoting), or restrict network access to Chrome instances via firewall rules. Note that disabling Chromoting eliminates the attack vector but may impact legitimate remote support workflows.

Patch guidance

Deploy Chrome version 149.0.7827.53 or newer across all Linux endpoints. Most organizations with auto-update enabled will receive this patch automatically within the Chrome update cycle. For managed environments, verify deployment via your device management solution or by scheduling a manual update push. After patching, confirm no systems are running versions older than 149.0.7827.53. Organizations on a slower update track should prioritize this update despite any other testing delays, given the unauthenticated remote privilege escalation risk.

Detection guidance

Monitor Chrome process behavior on Linux systems for signs of privilege escalation, including unexpected sudo/root child processes spawned from Chrome. Check system logs for Chrome crashes or unexpected Chromoting connection attempts. Use endpoint detection and response (EDR) tools to alert on Chrome executing with elevated privileges or making raw network calls to unusual destinations. Network-based detection is difficult because the vulnerability is triggered by specific network traffic patterns; focus detection on post-exploitation indicators such as unauthorized root access, new user accounts, or privilege escalation attempts. Verify Chrome versions across your fleet to identify unpatched systems before active exploitation occurs.

Why prioritize this

This is a high-priority patch despite Chromium's medium-severity rating. The vulnerability allows unauthenticated, network-based privilege escalation on Linux—a critical threat model. The lack of KEV status suggests limited public exploitation to date, but this is precisely when patching is most effective. Linux desktop and server environments, particularly those using Chromoting for legitimate purposes, face immediate risk. Organizations should treat this as a critical patch cycle item, ahead of lower-severity updates.

Risk score, explained

The CVSS 8.1 (HIGH) score reflects the combination of network attack vector, no authentication requirement, no user interaction, and high impact across confidentiality, integrity, and availability. The main limiting factor is the high attack complexity, which prevents a score of 9.0+. However, in practice, this limitation may be modest—the complexity likely refers to specific configuration prerequisites rather than technical barriers. For Linux environments where Chromoting is in use, effective risk is very high; for organizations where Chromoting is disabled or unavailable, risk is reduced to the presence of the vulnerable code in the binary.

Frequently asked questions

Does this affect Chrome on Windows or macOS?

No. This vulnerability is specific to Chrome on Linux. Windows and macOS versions of Chrome are not affected by CVE-2026-11170.

Do I need to update if I don't use Chromoting?

Yes. While the attack requires the Chromoting feature, the vulnerability exists in the Chrome binary itself. If an attacker can trigger the vulnerable code path via network traffic, disabling the UI does not remove the risk. Upgrade to the patched version (149.0.7827.53+) regardless.

What is Chromoting and why do I have it?

Chromoting is Chrome's built-in remote desktop feature, allowing you to access or share your desktop from another device. It's included in Chrome by default but typically only active if you explicitly enable it via Settings > Advanced > System. If you have not enabled it, the risk is lower, but you should still patch.

Can a firewall block this vulnerability?

Restricting outbound and inbound network access from Chrome, or blocking Chromoting relay servers, will reduce exposure. However, the proper fix is to upgrade. Firewall rules are a temporary mitigation, not a substitute for patching.

This analysis is based on the CVE record and available technical details as of the publication date. No active exploitation has been confirmed in the wild at the time of writing. Patch timelines, product availability, and specific exploitation techniques may evolve; refer to Google's official Chrome security advisories for authoritative guidance. Organizations should conduct internal testing before enterprise-wide deployment in sensitive environments. SEC.co does not claim exhaustive knowledge of all attack scenarios or defensive measures; this summary is provided for situational awareness and priority-setting. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).