CVE-2026-11276: Chrome Cast Access Control Bypass on Local Networks
Google Chrome versions before 149.0.7827.53 contain a flaw in how the Cast feature (which enables screen mirroring and media streaming to nearby devices) processes network traffic. An attacker physically present on the same local network can send specially crafted traffic to bypass access controls that would normally prevent unauthorized casting operations. This is a local network attack that doesn't require user interaction but is limited in scope—it cannot crash systems or execute arbitrary code, only manipulate casting permissions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.1 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-269
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to bypass discretionary access control via malicious network traffic. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper implementation of access control logic in Chrome's Cast subsystem. The weakness (CWE-269: Improper Access Control) allows an unauthenticated local network attacker to craft malicious network packets that circumvent discretionary access control (DAC) checks. The attack surface is restricted to the local network segment; remote exploitation is not feasible. Chromium rated this as Low severity within their own framework, though the CVSS 3.1 base score of 5.1 (MEDIUM) reflects the combination of local attack vector, low complexity, and the ability to compromise both confidentiality and integrity of casting sessions.
Business impact
The practical risk depends on your deployment model. Organizations relying on Chrome's Cast feature for secure internal media streaming or display sharing could see unauthorized users on the network intercept or manipulate those sessions. For typical enterprise environments, this is a lower-priority threat because Cast is rarely the critical path for business operations. However, educational institutions, media companies, or facilities using Chrome-based digital signage should evaluate their network segmentation and whether Cast is exposed to untrusted local network segments.
Affected systems
Google Chrome on all major operating systems (Windows, macOS, Linux) running versions prior to 149.0.7827.53 are affected. The vulnerability is in Chrome itself, not in the underlying OS kernel, though macOS, Windows, and Linux are listed as affected platforms in the context of Chrome distribution. Any user running an older Chrome version with Cast enabled and accessible on a shared or partially trusted local network is potentially exposed.
Exploitability
Exploitation requires the attacker to be on the same local network segment—this means physical proximity or network access to the LAN, WiFi, or corporate network where the target machine resides. No user interaction is required; the malicious traffic can be sent passively. However, the attack is not present in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no active weaponized exploits have been documented in the wild as of the vulnerability publication date. The barrier to entry for a skilled attacker with local network access is low, but real-world exploitation likelihood remains modest due to the narrow attack surface and limited value of compromising Cast functionality.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. This is a straightforward patching exercise via Chrome's built-in auto-update mechanism, which most users receive passively. For organizations managing Chrome deployments via group policy or Mobile Device Management (MDM), ensure policies push the minimum version requirement to 149.0.7827.53 or newer. If Cast functionality is not needed, disabling it via Chrome policies (chrome://policy or enterprise admin console) eliminates the attack vector entirely.
Patch guidance
Chrome 149.0.7827.53 and all subsequent releases contain the fix. Verify the installed version via chrome://version or Settings > About Chrome, which will auto-update if the device is online. For managed environments, update the minimum Chrome version policy to 149.0.7827.53. No manual patching steps are required; Chrome's auto-update system is the primary delivery mechanism. Test the update in a non-production environment if you are running custom integrations that depend on Cast APIs. Rollback risk is minimal; this patch addresses only the access control flaw with no feature removal.
Detection guidance
Monitor network traffic on your local network segment for unusual Cast protocol activity (typically UDP/TCP on ports 5353 for mDNS discovery and 8008/8009 for Cast control). Organizations with network segmentation can isolate Cast-capable devices to a dedicated VLAN and monitor cross-VLAN Cast attempts. Endpoint detection and response (EDR) tools may flag anomalous Cast process behavior, though this vulnerability doesn't spawn child processes or execute code. If Cast session logs are available (via Chrome's diagnostics or MDM reporting), look for casting initiation from unknown or unauthorized devices. Effective detection is challenging because the attack uses legitimate Cast protocol grammar; focus on network-level access controls and device isolation instead.
Why prioritize this
This vulnerability scores MEDIUM on CVSS but warrants lower priority in most environments due to several factors: (1) it requires local network access, not remote exploitation; (2) it does not enable code execution, data exfiltration, or denial of service; (3) it is not yet in CISA's KEV list, indicating minimal active exploitation; (4) Cast functionality is not universally deployed or critical to business continuity in typical corporate settings. Prioritize this for patching if you operate in an environment with high-risk local network sharing (education, hospitality, retail) or if your organization has embedded Cast into critical workflows. For most enterprises, this can be addressed within a standard quarterly patch cycle rather than emergency remediation.
Risk score, explained
The CVSS 3.1 score of 5.1 (MEDIUM) reflects: Attack Vector Local (increases complexity for attacker but still feasible on shared networks), Attack Complexity Low (no special conditions required), Privileges Required None, User Interaction None, Scope Unchanged, Confidentiality Impact Low (attacker may see Cast session details), Integrity Impact Low (attacker may modify Cast commands or stream routing), and Availability None (no denial of service). The 'MEDIUM' severity label balances the low Chromium severity designation against the real (though limited) privacy and integrity risks posed by local network access. It is not scored as 'HIGH' because the impact is bounded to Cast functionality and local scope; it is not 'LOW' because authentication bypass always carries risk in security contexts.
Frequently asked questions
Do I need to disable Cast to be safe from this vulnerability?
No. Updating Chrome to 149.0.7827.53 or later patches the flaw. Disabling Cast is an optional defense-in-depth measure only if your organization does not use the feature or operates in a high-risk local network environment (e.g., guest WiFi, open office spaces).
Can this vulnerability be exploited remotely over the internet?
No. The attack requires the attacker to be on the same local network segment as the target machine. Remote exploitation is not possible, which significantly limits the practical threat landscape.
Will Chrome auto-update protect me?
Yes, provided auto-update is enabled (the default for most Chrome users). If you manage Chrome via enterprise policies, verify that the minimum version policy is set to 149.0.7827.53 or later to ensure compliance across your organization.
Does this vulnerability affect Chrome on mobile devices?
The vulnerability applies to Chrome on all platforms (Windows, macOS, Linux). Chrome on iOS and Android also have Cast capabilities; verify your mobile device Chrome version and ensure it is updated to the patched version.
This analysis is based on publicly disclosed vulnerability data as of the publication date. Security landscapes evolve; check vendor advisories and CISA resources for the latest information. This document does not constitute legal or compliance advice. Organizations should validate patch compatibility and test in non-production environments before production deployment. SEC.co does not have access to active exploit code or zero-day intelligence beyond public sources. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11229MEDIUMChrome Privilege Escalation via Physical Access – Patch Required
- CVE-2026-11308MEDIUMChrome Extension Privilege Escalation Vulnerability
- CVE-2026-11296HIGHChrome ImageCapture Privilege Escalation (149.0.7827.53)
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability