MEDIUM 6.5

CVE-2026-11210: Chrome Safe Browsing Bypass via Crafted RAR Files

Google Chrome versions before 149.0.7827.53 contain a flaw in Safe Browsing that allows attackers to bypass access controls when a user opens a specially crafted RAR archive file. An attacker would need to trick a user into opening a malicious RAR file, but once they do, the browser's safety mechanisms fail to properly restrict what the file can access. This is a moderate-severity issue that affects Chrome on Windows, macOS, and Linux.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-284
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Safe Browsing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted RAR file. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an inappropriate implementation in Chrome's Safe Browsing module, which failed to correctly enforce discretionary access control (DAC) protections when processing RAR archive files. The flaw is tracked under CWE-284 (Improper Access Control) and allows a network-based attacker to circumvent browser-level access restrictions through a crafted RAR payload. User interaction is required—the victim must explicitly open or interact with the malicious file. The issue was patched in Chrome 149.0.7827.53 and higher.

Business impact

Users relying on Chrome's Safe Browsing as a layer of defense against malicious files face reduced protection when handling RAR archives. While the vulnerability requires user action, it could enable data exfiltration or unauthorized system modification if an attacker combines the bypass with secondary exploits. Organizations managing Chrome deployments should prioritize updates to minimize exposure, particularly in environments where users regularly download or exchange archived files.

Affected systems

The vulnerability affects Google Chrome on Windows, macOS, and Linux platforms running versions prior to 149.0.7827.53. All three major operating systems are in scope; the specific OS version requirements depend on Chrome's compatibility matrix for the patched release. Chromium-based browsers derived from affected Chrome versions may also be vulnerable.

Exploitability

Exploitation requires user interaction—specifically, a victim must open a crafted RAR file in or near Chrome. The attack vector is network-based and requires no special privileges or complex conditions beyond social engineering or drive-by download scenarios. The Chromium security team classified this as Medium severity, reflecting the moderate impact (integrity compromise) and the practical user-interaction barrier. No known public exploits have been associated with this CVE as of the publication date.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Automatic updates are available through Chrome's built-in update mechanism; users should restart the browser to complete patching. For managed environments, system administrators should push the update through their Chrome management infrastructure (e.g., Google Admin Console, Microsoft Intune, or MDM solutions). No workarounds exist; patching is the sole remediation.

Patch guidance

Chrome users should enable automatic updates if not already active (the default configuration). Navigate to Chrome menu > About Google Chrome to check and download the latest version. For enterprise deployments, verify patch status across your fleet using Chrome management tools or endpoint management solutions. Testing the patch in a non-production environment is recommended before enterprise-wide rollout, though the security risk of delaying this update generally outweighs testing delays. Verify the patched version matches or exceeds 149.0.7827.53 before considering devices compliant.

Detection guidance

Monitor Chrome version numbers across your environment using endpoint detection and response (EDR) tools, mobile device management (MDM), or configuration management databases. Flag any Chrome installation below version 149.0.7827.53 as requiring immediate attention. Log analysis is unlikely to reveal exploitation attempts directly, as Safe Browsing bypass events are not typically logged; focus detection efforts on identifying which users or systems have not yet patched. Monitor for unusual RAR file handling or user complaints about unexpected file access warnings.

Why prioritize this

Although classified as Medium severity, this vulnerability merits rapid patching because it directly undermines a key browser security control. Safe Browsing is a frontline defense against malicious downloads; a bypass weakens that defense for a common file format. The low complexity and user-interaction requirement mean opportunistic attackers could combine this flaw with phishing or watering-hole campaigns. Patches are non-disruptive and widely available, making delay unjustifiable.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects an integrity-based attack vector (I:H) that requires network access and user interaction but causes no confidentiality or availability impact. The absence of privilege escalation or system compromise limits the score; however, the ability to bypass access controls on files is meaningful in contexts where archived content contains sensitive data or when combined with secondary attack chains. Organizations with elevated concern about data integrity should treat this as a higher-priority patch.

Frequently asked questions

What file formats trigger this vulnerability?

Specifically, RAR archive files can trigger the vulnerability. Other compressed formats like ZIP or 7Z are not mentioned in the CVE description; however, always apply the patch regardless, as it addresses a Safe Browsing implementation flaw that could affect multiple file types.

Do I need to update if I don't use RAR files?

Yes. Even if RAR is uncommon in your workflow, the underlying Safe Browsing bypass could be relevant to other attack vectors or file types not yet disclosed. Additionally, patching removes a known control weakness and is necessary for maintaining compliance and defense-in-depth posture.

Will this update affect my Chrome extensions or settings?

Chrome updates generally preserve extensions and settings. However, always ensure critical extensions are compatible with the latest Chrome version before enterprise deployment. Test in a staging environment if your organization relies on specialized or custom extensions.

Is this vulnerability currently being exploited in the wild?

As of the publication date, the CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation. However, the absence of known exploitation does not guarantee future safety; prompt patching remains essential.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. CVSS scores, affected versions, and patch guidance are based on official vendor advisories and CVE records. Organizations should verify patch applicability and compatibility in their specific environment before deployment. No guarantee is made regarding exploit code, malware payloads, or active threats not yet disclosed. Always consult official Google Chrome security advisories and your organization's security policies before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).