CVE-2026-11238: Chrome DevTools Memory Disclosure via Malicious Extension
Google Chrome versions before 149.0.7827.53 contain a flaw in how DevTools handles extension interactions that could allow an attacker to extract sensitive data from process memory. The attack requires social engineering—convincing a user to install a malicious Chrome extension—but if successful, an attacker gains access to potentially confidential information stored in memory that the extension can observe. This is classified as a medium-severity issue despite Chromium's internal 'Low' rating, reflecting the real-world impact of memory disclosure combined with the user-interaction barrier.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-306
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an inappropriate implementation in Chrome's DevTools architecture that fails to properly isolate or restrict what data a malicious extension can access from process memory. Specifically, a crafted Chrome Extension with the right permissions can leverage DevTools interfaces to read memory regions that should be protected. The issue maps to CWE-306 (Missing Authentication for Critical Function), indicating that memory access controls lack sufficient verification. The attack vector is network-adjacent (social engineering via malicious extension distribution), complexity is high due to the user-installation requirement, and impact is confidentiality loss without integrity or availability compromise.
Business impact
Memory disclosure vulnerabilities pose indirect but meaningful business risk. An attacker extracting process memory could potentially recover authentication tokens, API keys, session data, personal information in transit, or proprietary application state from browser processes. For organizations with strict data handling requirements or those subject to regulatory frameworks (HIPAA, PCI-DSS, GDPR), such leaks create compliance violations and potential liability. The requirement for user trust—installing an extension—makes this most dangerous in environments with inadequate security awareness or where users are targeted by convincing social engineering campaigns.
Affected systems
The vulnerability affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53. It is technically cross-platform because the flaw resides in Chrome's core DevTools implementation. The attack surface is limited to users who can be persuaded to install an untrusted or spoofed Chrome extension, making targeted users and those with permissive extension policies at highest risk.
Exploitability
Exploitability is constrained by user interaction requirements: the attacker must successfully convince or trick a user into installing a malicious extension. This is not a zero-click or zero-user-interaction flaw. However, once installed, the malicious extension operates with relatively straightforward access to DevTools memory-inspection capabilities. The high-complexity CVSS rating reflects these barriers, but determined adversaries using social engineering, typosquatting, or compromised distribution channels can overcome them. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog, indicating no in-the-wild weaponization has been publicly documented at the time of publication.
Remediation
Patch to Google Chrome 149.0.7827.53 or later immediately. This update corrects the DevTools implementation to properly restrict extension access to process memory. Additionally, organizations should reinforce security awareness training on extension installation risks, enforce extension allowlisting policies where feasible, and monitor for suspicious extension installations in audit logs. Users should review installed extensions regularly and remove anything unfamiliar or unnecessary.
Patch guidance
Google has released Chrome version 149.0.7827.53 containing the fix. Users on Windows, macOS, and Linux should update as soon as possible. Chrome's auto-update mechanism will push the patch automatically for most users, but verify successful installation by checking Settings > About Google Chrome. Enterprise administrators should test the patch in a staging environment and deploy via Chrome Enterprise policies to ensure compatibility with internal workflows and extensions before rolling out to production.
Detection guidance
Monitor for suspicious Chrome extension installations—particularly those from unknown publishers or with unusual permission requests. In security logs, track extension installation events and flag any that request excessive permissions, especially those with 'webRequest' or 'scripting' capabilities combined with broad URL patterns. Memory-access anomalies (high entropy reads from process memory via extensions) may indicate exploitation attempts, though direct detection is difficult. Endpoint detection and response (EDR) tools should flag unexpected child processes or unusual memory manipulation from Chrome subprocesses. Consider blocking third-party or untrusted extension sources via Group Policy or MDM policies.
Why prioritize this
While not in active exploitation and carrying Chromium's internal 'Low' severity rating, the CVSS score of 5.9 (MEDIUM) combined with memory-disclosure impact justifies near-term patching. The practical barrier—requiring user installation of a malicious extension—reduces urgency compared to remotely exploitable flaws, but organizations with high-value targets, strict compliance requirements, or users handling sensitive data should prioritize this update. The low effort required by attackers post-installation and the sensitive nature of memory contents warrant timely remediation within standard patch cycles.
Risk score, explained
The CVSS 3.1 score of 5.9 (MEDIUM) reflects a confidentiality-only impact (high) tempered by high attack complexity and the need for user interaction (no privileges required, no special system configuration needed, but convincing installation of a malicious extension is a significant real-world hurdle). The vector notation AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N indicates network-adjacent attack vector, high complexity, no privilege prerequisite, no user interaction after installation, unchanged scope, and high confidentiality impact with no integrity or availability loss. This is a classic data-disclosure vulnerability with a friction-dependent exploitation model.
Frequently asked questions
Do I need to update Chrome immediately, or can this wait?
Update within your normal patch cycle, prioritizing if users handle sensitive data or you operate in regulated industries. The vulnerability requires social engineering to exploit, so it's not an emergency requiring out-of-band patching, but should not be deferred indefinitely. Testing and deployment within 30 days is reasonable for most organizations.
Can I detect if a malicious extension has exploited this vulnerability?
Direct detection is difficult because the vulnerability allows an extension to read memory without leaving obvious artifacts. However, monitor for suspicious extension installations, extensions with unusual permissions, and unusual memory-access patterns via EDR tools. Disable extensions users don't recognize, and audit Chrome's extension list regularly.
Does this affect Chrome on mobile devices?
This vulnerability is specific to Chrome on desktop operating systems (Windows, macOS, Linux) where the DevTools architecture operates differently. Mobile versions of Chrome have a distinct codebase and sandbox model, though you should keep all Chrome versions updated as a general best practice.
What should I tell users about extension safety?
Advise users to install extensions only from the official Chrome Web Store, verify publisher identity (check reviews and publisher profile), review requested permissions carefully before installation, and remove unfamiliar or unnecessary extensions regularly. Avoid installing extensions from third-party sources or suspicious links, especially in emails or social media.
This analysis is based on publicly disclosed vulnerability data current as of the publication date. Patch versions, affected product versions, and CVSS scores reflect the authoritative CVE record and vendor advisories. Readers should verify compatibility and testing requirements against Google's official security advisory before deploying patches. This assessment does not constitute legal or compliance advice; organizations subject to regulatory frameworks should consult compliance teams regarding remediation timelines. Exploitation details and proof-of-concept code are intentionally omitted to minimize malicious use potential. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)