CVE-2026-11231: Chrome Safe Browsing Code Execution on macOS – Patch Now
Google Chrome on macOS contains a flaw in its Safe Browsing feature that could allow an attacker to run malicious code on a user's computer. The vulnerability requires user interaction—specifically, the user must open or interact with a malicious file. While Chromium's security team classified the underlying issue as low severity, the CVSS score of 8.1 reflects the real-world impact: an attacker gaining code execution on the system. This affects Chrome versions prior to 149.0.7827.53 on macOS.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-94
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a malicious file. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11231 stems from an inappropriate implementation in Chrome's Safe Browsing component on macOS. The Safe Browsing feature is designed to protect users from malicious downloads and websites by checking files against Google's databases of known threats. The implementation flaw allows a remote attacker to bypass or subvert this protection, enabling arbitrary code execution when a user processes a specially crafted file. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the Safe Browsing logic fails to properly validate or sanitize file content before processing. The attack vector is network-based with low complexity, and while a user must take action (opening the file), the barrier to exploitation is minimal given how naturally users interact with downloaded content.
Business impact
Successful exploitation could grant an attacker code execution privileges equivalent to the user running Chrome, potentially leading to data theft, ransomware deployment, or lateral movement within a corporate environment. On macOS, this could compromise not only user data stored in or accessible to Chrome, but also system credentials, files, and applications if the user account has elevated privileges. Organizations with Mac-based development or finance teams are at particular risk, as these users often handle files from external sources. The need for user interaction provides some friction, but phishing campaigns or drive-by downloads could readily satisfy this requirement at scale.
Affected systems
Google Chrome on macOS versions prior to 149.0.7827.53 are affected. The vulnerability does not impact Chrome on Windows, Linux, or iOS, nor does it affect other Chromium-based browsers unless they have independently incorporated the same flawed Safe Browsing code. macOS users of all supported versions (Big Sur, Monterey, Ventura, Sonoma, and later) running vulnerable Chrome releases are in scope.
Exploitability
Exploitability is straightforward from a technical standpoint. An attacker needs only to craft a malicious file, host it on the internet or deliver it via email, and wait for a user to open it—Chrome's Safe Browsing will fail to block it. No additional vulnerabilities, authentication, or system complexity is required. The barrier is primarily user behavior: the victim must download and open the file. However, given the prevalence of file-sharing, email attachments, and casual downloads in most organizations, this is not a high bar. There is no indication in public sources that active exploitation has occurred, but the attack method is trivial to execute once weaponized. The LOW severity classification by Chromium appears to reflect the belief that Safe Browsing is a secondary defense layer; however, many users rely on it as a primary safeguard.
Remediation
Users should upgrade Google Chrome to version 149.0.7827.53 or later on macOS. Chrome can be configured to update automatically; users should verify their current version via Chrome menu > About Google Chrome, which will also trigger any pending updates. Organizations should enforce this minimum version via their endpoint management or mobile device management platform if Chrome is provided centrally. Complementary mitigations include enabling additional macOS security features such as Gatekeeper and notarization checks, though these do not replace the Chrome patch. Users should also exercise caution with files from untrusted sources and consider using sandboxed or air-gapped systems for opening sensitive or suspicious files.
Patch guidance
Verify against the official Google Chrome release notes and security advisory for version 149.0.7827.53, which is the confirmed fixed version. macOS users can check for updates via Chrome menu > About Google Chrome; the browser will automatically download and apply the patch on next restart. Enterprise deployments should reference the Chrome Enterprise release calendar and deploy via their configuration management tools. No beta or extended stable channel requirements have been published; the standard stable release should be sufficient. Test the patch in a limited environment if your organization has critical Chrome-dependent workflows, though this update addresses only a security vulnerability with no known functional changes.
Detection guidance
Network-based detection is challenging, as the attack involves a user downloading and opening a file through normal browsing. Endpoint detection should focus on monitoring for unexpected child processes spawned by Chrome, particularly those that access system files, create new user accounts, or attempt credential dumping. Host-based indicators include unusual Chrome process trees, files written to /tmp or /var/tmp immediately after file download, and unexpected network connections from the Chrome process. macOS-specific signals include code signing violations, attempts to disable Gatekeeper, or injection into system processes. Behavioral monitoring for suspicious processes spawned from the Downloads folder may also prove useful. Organizations without managed endpoint detection should prioritize patching, as detection of this vulnerability in the wild is reactive and difficult without deep instrumentation.
Why prioritize this
Despite Chromium's low-severity classification, this vulnerability warrants high priority due to its CVSS 8.1 rating, the ease of exploitation, and the ubiquity of Chrome among macOS users. Code execution is the most severe outcome in most threat models. The requirement for user interaction is offset by the naturalness of file downloads and the likelihood of social engineering. Organizations with Mac-heavy user bases, particularly those handling sensitive data or intellectual property, should prioritize this patch within days, not weeks. The lack of KEV (Known Exploited Vulnerability) status as of the advisory date does not diminish risk; it reflects lack of public reporting, not absence of threat.
Risk score, explained
The CVSS 8.1 (HIGH) score reflects: Network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), and user interaction (UI:R). The impact is high for confidentiality and integrity (C:H/I:H), with no direct availability impact (A:N). This scoring correctly captures the severity of arbitrary code execution constrained only by user action. Chromium's internal low-severity rating likely reflects a narrow view of Safe Browsing as a secondary defense; however, in practice, many users treat it as primary, making the HIGH CVSS score more aligned with real-world risk. The unchanged scope (S:U) indicates impact is limited to the user's system, not other systems directly.
Frequently asked questions
Does this vulnerability affect Chrome on Windows or Linux?
No. The vulnerability is specific to Chrome on macOS due to an issue in the Safe Browsing implementation for that platform. Chrome on Windows, Linux, and other platforms are not affected. If you manage a mixed fleet, focus patching efforts on macOS systems.
Do I need user interaction for this vulnerability to be exploited?
Yes. The attacker's malicious file must be downloaded and opened by the user. However, this is a low bar in practice—users download files regularly, and phishing or social engineering campaigns can be used to increase the likelihood of interaction. Safe Browsing's failure to detect the file removes a critical safeguard that users rely on.
Is this vulnerability being actively exploited in the wild?
There is no indication in the CVE record or public advisories that this vulnerability has been exploited in the wild as of the vulnerability publication date. However, the simplicity of the attack means exploitation could begin at any time once the vulnerability becomes widely known. Immediate patching is recommended rather than waiting for active exploitation confirmation.
Can I mitigate this without patching Chrome?
Patching is the definitive fix. Complementary mitigations include disabling Chrome downloads, restricting file types users can open, or requiring approval for downloaded files via Mobile Device Management. However, none of these fully prevent exploitation if a determined attacker finds a vector. Upgrade to version 149.0.7827.53 or later as soon as possible.
This analysis is based on the CVE record and publicly available information as of the modification date. Security advisories and patch availability may change; verify all patch versions and timelines against the official Google Chrome security advisory and your vendor documentation. No exploit code or weaponized proof-of-concept has been provided or developed. This is for informational purposes to aid security decision-making and risk prioritization. Organizations should conduct their own threat modeling and testing before broad deployment of patches in production environments. The absence of a vulnerability from the KEV catalog does not indicate low risk; it indicates lack of public reporting of active exploitation. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10928HIGHScript Injection in Google Chrome Headless – CVSS 8.8 High Severity
- CVE-2026-9938HIGHChrome V8 Sandbox Escape – High Severity Code Execution Vulnerability
- CVE-2026-9976HIGHHigh-Severity Chrome USB Vulnerability (RCE via Malicious Webpage)
- CVE-2026-11157MEDIUMChrome Script Injection in Accessibility (UXSS via Extension)
- CVE-2026-11218MEDIUMChrome PlatformIntegration Code Execution Vulnerability (Windows)
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)