CVE-2026-11241: Chrome Cast Privilege Escalation via Malicious HTML (CVSS 8)
A vulnerability in Google Chrome's Cast feature allows an attacker on your local network to escalate their privileges on an affected machine by tricking a user into visiting a specially crafted web page. The attack requires the attacker to already be on your network segment and the user to interact with the malicious page, but once triggered, it grants elevated system access. Google rates this as a low-severity issue in Chromium, yet the CVSS 3.1 score reflects broader impact potential including confidentiality, integrity, and availability compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.0 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11241 is an input validation flaw in the Cast subsystem of Google Chrome versions prior to 149.0.7827.53. The vulnerability stems from insufficient sanitization of untrusted input (CWE-20), allowing an adjacent network attacker to construct a malicious HTML payload that, when rendered by a user's browser, executes code with elevated privileges. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates attack complexity is low, but requires user interaction and proximity to the victim's network segment. The flaw does not cross privilege or security boundaries at the kernel level.
Business impact
Successful exploitation allows lateral movement and privilege escalation within corporate or residential networks. An attacker could gain administrative-level control over a single endpoint, leading to theft of sensitive data, installation of malware, system sabotage, or lateral pivots to other hosts. The requirement for local network access somewhat limits exposure in air-gapped or strictly segmented environments, but most organizations have guest networks, IoT devices, or contractor access that could harbor an attacker. Remediation delays increase risk of compromise of high-value user accounts or systems.
Affected systems
Google Chrome prior to version 149.0.7827.53 running on Windows, macOS, or Linux. Verify the exact Chrome version in your environment—the patch version 149.0.7827.53 is the first version containing the fix. Other Chromium-based browsers may also require updates; check with individual vendors (Edge, Brave, Vivaldi, etc.) for their patched versions. The vulnerability is not a kernel issue affecting all operating systems broadly, but rather a Chrome-specific defect.
Exploitability
Exploitation requires an attacker to be on the local network segment and to successfully socially engineer a user into visiting a malicious HTML page. The attack does not require user privileges or special browser configuration; standard browsing activity is sufficient. The low attack complexity and user-interaction requirement make this moderately exploitable in practice, especially in environments where users frequently visit untrusted sites or click suspicious links. The necessity for network adjacency significantly reduces the threat surface compared to internet-wide attacks.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Enable automatic updates in Chrome settings (Settings > About > Google Chrome) to receive patches automatically. For organizations using managed Chrome deployments, apply the update through your management console. If using other Chromium-based browsers, check the respective vendor for equivalent patched versions and timelines. Monitor for any suspicious Cast-related activity or unexpected privilege escalations on affected systems.
Patch guidance
Google has patched this vulnerability in Chrome 149.0.7827.53 and later. Verify your current Chrome version by navigating to Settings > About > Google Chrome; the browser will check for updates automatically and display the current version number. If you are running an earlier version, accept the available update without delay. For enterprise environments, leverage your browser management tools to enforce the minimum version requirement. Consider disabling the Cast feature on sensitive systems if patching is delayed, though this is a workaround and not a substitute for patching.
Detection guidance
Monitor network traffic for suspicious Cast protocol activity from unexpected sources on port 8008 or over mDNS. Examine browser history and process logs on endpoints for unusual Cast operations or suspicious HTML page visits from internal network sources. Web content filtering or proxy logs may reveal attempts to serve malicious HTML payloads to users. Endpoint Detection and Response (EDR) tools should alert on privilege escalation events following Chrome process activity. Additionally, audit Cast device discovery logs if available, as the attack initiates through crafted HTML rendered in the browser.
Why prioritize this
Although Chromium rates this as low severity and it requires local network adjacency, the CVSS 8 (HIGH) score reflects the severity of impact once triggered—full compromise of user confidentiality, integrity, and availability. Prioritize patching in environments with guest networks, frequent contractor access, or elevated-risk user populations. However, air-gapped networks or strict segmentation may defer this slightly lower than critical internet-facing vulnerabilities.
Risk score, explained
The CVSS 3.1 score of 8 (HIGH) is assigned because the vulnerability grants high-impact confidentiality, integrity, and availability compromise (C:H/I:H/A:H) to an adjacent attacker with low complexity (AC:L) and no privileges required (PR:N). However, the attack vector is Adjacent Network (AV:A) rather than Network, and it requires User Interaction (UI:R), which moderates the theoretical exploitability. The score reflects the severity of impact rather than immediate likelihood of widespread exploitation, making it a HIGH-severity finding that warrants timely remediation in most environments.
Frequently asked questions
Can this vulnerability be exploited over the internet, or only on local networks?
Only from an adjacent network segment. The attacker must be on the same local network as the victim. This significantly limits the threat surface compared to internet-facing vulnerabilities, but organizations with guest networks, IoT environments, or vendor/contractor access should treat this as a real risk.
Do I need to disable Cast or uninstall Chrome?
No. Update Chrome to version 149.0.7827.53 or later as soon as possible. Disabling Cast is not a reliable workaround and is unnecessary once patched. Uninstalling Chrome is not practical for most users and does not address the underlying security issue in other Chromium browsers you may use.
Why does Chromium say 'Low' severity when CVSS is 'HIGH'?
Chromium's internal severity rating (Low) reflects their assessment of real-world exploitability and prevalence. The CVSS 3.1 score (8/HIGH) is a standardized metric that weights the maximum impact—confidentiality, integrity, and availability—if exploitation succeeds. Both ratings are valid; CVSS emphasizes potential impact, while Chromium's rating emphasizes likelihood and context.
Is this vulnerability in the KEV (Known Exploited Vulnerabilities) catalog?
No. As of the latest update, this vulnerability has not been observed in active exploitation campaigns or added to the CISA KEV catalog. Nonetheless, timely patching remains essential, as unknown or unreported exploitation may occur in targeted attacks.
This analysis is provided for informational purposes only and reflects the state of known information as of the publication date. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this content. Organizations must verify all patch versions, affected products, and remediation steps against official vendor advisories. Exploit code or weaponized proof-of-concept information is not provided. Your organization's risk assessment may differ based on network architecture, user behavior, and asset criticality. Consult your security team and relevant vendor documentation before implementing any remediation. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw
- CVE-2026-11046HIGHChrome Media Sandbox Escape – Patch Now to Version 149.0.7827.53