MEDIUM 4.3

CVE-2026-11266: Chrome Safe Browsing Bypass Vulnerability — Patch v149.0.7827.53

Google Chrome versions before 149.0.7827.53 contain a flaw in the Safe Browsing feature that allows a remote attacker to bypass its protections by delivering a specially crafted file. An attacker would need to trick a user into opening or interacting with the malicious file, but if successful, the user's safety checks could be circumvented, potentially allowing access to sites or content that Safe Browsing would normally block.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-693
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in SafeBrowsing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass Safe Browsing via a malicious file. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11266 stems from an inappropriate implementation in Chrome's Safe Browsing module. The vulnerability exists in how the browser validates and processes files before applying Safe Browsing checks. The flaw allows an attacker to craft a file that evades Safe Browsing's detection logic without requiring elevated privileges or special system-level access. The issue is classified under CWE-693 (Protection Mechanism Failure), indicating a weakness in how the protective mechanism itself is designed or applied. While Chromium's security team rated this as Low severity internally, the CVSS v3.1 score reflects a MEDIUM severity with an integrity impact, meaning the attack compromises the integrity of the user's browsing safety posture.

Business impact

This vulnerability reduces the effectiveness of Chrome's safety mechanisms, which many organizations and users rely on to prevent phishing, malware, and other web-based threats. For business users, a bypass could result in accidental visits to malicious sites, credential theft, or malware installation if combined with social engineering. The integrity impact (rather than confidentiality or availability) means the core function of Safe Browsing—blocking dangerous content—becomes unreliable for affected users. Enterprise environments using Chrome as a standard browser should prioritize updates to maintain consistent endpoint protection.

Affected systems

The vulnerability affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53. While the CVE data lists the underlying operating systems (Windows, macOS, Linux kernel) as vendors/products, the actual vulnerability is in the Chrome browser itself; systems are affected only if Chrome is installed and in use. Other Chromium-based browsers may also be affected if they have not ported the fix, though this CVE specifically references Google Chrome.

Exploitability

The attack requires user interaction (opening or interacting with a malicious file), which is reflected in the CVSS vector's UI:R parameter. An attacker would need to socially engineer a user into opening a crafted file, reducing the likelihood of large-scale automated attacks. However, the attack vector is network-based (AV:N), meaning the malicious file can be delivered remotely via email, web downloads, or file-sharing services. The low attack complexity (AC:L) suggests the attacker does not need to know specific system details or timing; the bypass should work reliably once the file is opened.

Remediation

Users and administrators should update Google Chrome to version 149.0.7827.53 or later. This update includes the fix for the Safe Browsing implementation flaw. Updates can be applied automatically if auto-update is enabled, or manually via Chrome's settings menu (menu > Help > About Google Chrome). For enterprises, deployment should prioritize endpoints that process untrusted files or permit external file downloads.

Patch guidance

Verify that your Chrome installation is running version 149.0.7827.53 or later by navigating to menu > Help > About Google Chrome. The browser will automatically attempt to check for and download available updates; after the update is applied and the browser is restarted, the vulnerability will be patched. If auto-updates are disabled in your environment, manually trigger the update check or use your organization's software deployment tools to push the patched version. Test Safe Browsing functionality after patching to ensure no unexpected behavior.

Detection guidance

Monitor Chrome version information across your endpoints to identify instances running pre-149.0.7827.53 releases. Endpoint detection and response (EDR) tools may flag suspicious file delivery or processing attempts, though the vulnerability itself does not require special behavioral signatures. Check browser telemetry logs for Safe Browsing warnings that were bypassed or suppressed. If you suspect exploitation, review user browsing history and downloaded files around the time of potential attack vectors.

Why prioritize this

While the CVSS score is MEDIUM and the Chromium team rated it Low severity, this vulnerability directly undermines a key user-facing security control. Prioritize patching in environments where users frequently download or receive files from external sources, and where Safe Browsing bypasses could lead to secondary compromises (e.g., credential theft from phishing). However, this is not a critical exploit-in-the-wild issue and does not warrant immediate business disruption; schedule updates as part of normal maintenance cycles.

Risk score, explained

The CVSS v3.1 score of 4.3 (MEDIUM) reflects: network-based attack vector, low complexity, no privilege requirements, but a requirement for user interaction. The integrity impact indicates the attack undermines Safe Browsing's protective function, but there is no direct confidentiality or availability impact on the user's system itself. The score appropriately captures the moderate risk: not critical, but meaningful enough to warrant timely remediation. Chromium's internal Low severity rating likely emphasizes that this is a feature bypass rather than a system-level compromise.

Frequently asked questions

Can I be exploited by this vulnerability without opening any files?

No. The vulnerability requires user interaction with a malicious file. The file must be opened or interacted with in a way that triggers the Safe Browsing check, so simply receiving a file via email or download does not automatically trigger exploitation.

If I update Chrome, do I need to update my operating system?

No. The fix is in Chrome itself. You only need to update Chrome to version 149.0.7827.53 or later. The underlying operating system (Windows, macOS, or Linux) does not require changes.

Does this vulnerability allow attackers to steal my passwords or data?

Not directly. The vulnerability allows an attacker to bypass Safe Browsing, which could then allow a malicious website to load without warnings. From there, a secondary attack (like phishing or malware) could attempt to steal data, but the vulnerability itself does not access your passwords or files.

Is this vulnerability being actively exploited?

No. The CVE has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active exploitation in the wild as of the last update. However, this does not mean future exploitation is impossible, so timely patching remains important.

This analysis is based on vulnerability data as of June 2026. Patch version numbers and affected product lists are sourced from official vendor advisories and should be verified against Google Chrome's official release notes before deployment. Exploitation has not been confirmed in the wild. This assessment assumes users will receive updates through Chrome's auto-update mechanism or manual updates; organizations with custom or offline deployments should verify patch availability through their distribution channels. No exploit code or weaponization details are provided. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).