MEDIUM 6.1

CVE-2026-11229: Chrome Privilege Escalation via Physical Access – Patch Required

Google Chrome versions before 149.0.7827.53 contain a flaw in how the application handles certain enterprise features that could allow someone with physical access to your device to gain elevated privileges. The vulnerability requires an attacker to be present at the machine itself and does not need you to take any action—they can exploit it directly. This is a local-only threat and cannot be exploited remotely over the internet.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-269
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Enterprise in Google Chrome prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via physical access to the device. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11229 is rooted in an inappropriate implementation within Chrome's enterprise functionality. The vulnerability manifests as an improper privilege escalation mechanism that can be triggered by a local attacker with physical device access. The underlying weakness is catalogued under CWE-269 (Improper Access Control), indicating that the application fails to enforce proper access restrictions on sensitive operations. The attack vector requires Physical proximity (AV:P), has Low Attack Complexity, requires no Privileges, and needs no User Interaction, resulting in High confidentiality and integrity impact but no availability impact.

Business impact

For organizations deploying Chrome in enterprise environments, this vulnerability represents a localized insider threat. An employee or contractor with physical access to an unattended device could escalate their privileges and access sensitive data or modify system configurations. The risk is highest in shared workspaces, kiosks, or environments where devices are left briefly unattended. Remote workers and single-user setups face lower risk. The business impact depends heavily on what privileged operations are available post-escalation and what data resides on affected machines.

Affected systems

The vulnerability affects Google Chrome prior to version 149.0.7827.53 across multiple operating systems: Windows, macOS, and Linux systems running Chrome. All users running older Chrome versions on these platforms are potentially vulnerable. The scope is technically limited to the Chrome browser process itself, not the underlying operating system, though the escalated privileges may extend Chrome's access beyond its normal sandbox constraints.

Exploitability

Exploitation requires physical presence at the device and cannot be performed remotely. No user interaction or prior authentication is required—an attacker simply needs unsupervised access to an unlocked machine. The attack complexity is low, meaning the technical bar to exploitation is not high once physical access is obtained. However, the overall attack surface is constrained by the physical access requirement, limiting the threat to insider risks and scenarios involving physical security breaches rather than widespread internet-based attacks.

Remediation

Update Google Chrome to version 149.0.7827.53 or later as soon as possible. Enable automatic updates if not already active. For enterprise deployments, consider restricting physical access to unattended devices through policies, screen locks, and supervised endpoints. Disable enterprise features that are not actively needed. Review device access logs to identify any suspicious privilege escalation attempts.

Patch guidance

Verify the installed Chrome version by navigating to Chrome Menu > Help > About Google Chrome and confirm you are running 149.0.7827.53 or newer. The browser will automatically download and prompt for restart when a patch is available. For managed enterprise deployments, push the update through your mobile device management or endpoint management tools. Verify patch compliance across your fleet before closing remediation efforts. If you are running a Chromium-based browser other than Google Chrome (Edge, Brave, Vivaldi), check the vendor's release notes to confirm whether this vulnerability affects your distribution and apply the equivalent patch.

Detection guidance

Monitor system event logs for unexpected privilege escalation events on machines running Chrome. Watch for processes spawning with elevated privileges under suspicious circumstances. Audit physical access logs to correlate with any detected privilege escalation attempts. Endpoint Detection and Response (EDR) solutions should flag privilege escalation events tied to Chrome processes. Implementation of Full Disk Encryption and mandatory screen locks reduces the window of opportunity for exploitation and should be verified as active across your fleet.

Why prioritize this

Although the CVSS score of 6.1 (MEDIUM) and Chromium's Low severity assessment might suggest lower priority, organizations should treat this as a moderate priority due to the high impact rating (C:H, I:H) despite the physical access requirement. The vulnerability is not currently tracked in CISA's KEV catalog, indicating no known active exploitation in the wild. However, the nature of the flaw—improper access control in enterprise functionality—means a motivated insider could weaponize it. Prioritize patching for shared workspaces and high-value targets before rolling out broadly.

Risk score, explained

The CVSS 3.1 score of 6.1 reflects a MEDIUM severity rating driven primarily by the high impact to confidentiality and integrity balanced against the Physical Attack Vector requirement. The score would be higher if remote exploitation were possible, but the local-only nature of the attack caps severity. The Low Attack Complexity and absence of privilege/interaction requirements prevent the score from being lower. Organizations handling sensitive data on laptops or shared desktops should view this as elevated risk despite the MEDIUM label.

Frequently asked questions

Can this vulnerability be exploited over the network or internet?

No. The vulnerability requires Physical Access to the device, meaning an attacker must be physically present to exploit it. This is not a remote vulnerability and poses no direct risk to users on isolated or air-gapped networks in that regard.

Do I need to take any action for the vulnerability to be exploited?

No. Because the UI:N parameter indicates No User Interaction is required, an attacker with physical access does not need you to click anything or perform any action. They can trigger the privilege escalation directly.

Is this vulnerability being actively exploited?

As of the last update, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, which tracks vulnerabilities with documented active exploitation. However, this does not guarantee no private exploitation; it means no public evidence of widespread attacks has been recorded.

What platforms are affected?

The vulnerability affects Google Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux. It is specific to Chrome and does not directly affect the underlying operating system, though the escalated privileges within Chrome may allow access to OS-level resources.

This analysis is based on publicly available vulnerability data as of the publication date. Readers must verify all patch versions, affected product lists, and remediation steps against official vendor advisories before implementing changes. SEC.co does not provide warranted guarantees regarding the completeness or real-time accuracy of this information. Organizations should always conduct independent security testing in a controlled environment before deploying patches to production systems. This document is provided for informational purposes and should not be construed as legal advice or a substitute for professional security consultation. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).