MEDIUM 5.0

CVE-2026-11281: Google Chrome Chromoting Integer Overflow Information Disclosure

Google Chrome on Windows contains an integer overflow vulnerability in its Chromoting remote desktop component that could allow a local attacker with user-level privileges to read sensitive information from the browser's memory. The attack requires user interaction and relies on sending a specially crafted Event Tracing for Windows (ETW) event. This is a local-only attack requiring existing system access, not a remote exploitation vector.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-190, CWE-472
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Integer overflow in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted ETW event. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11281 is an integer overflow (CWE-190) occurring in the Chromoting subsystem of Google Chrome versions prior to 149.0.7827.53 on Windows platforms. The vulnerability exists in ETW event processing and results in improper input validation (CWE-472), allowing an authenticated local process to trigger memory disclosure. The integer overflow occurs during computation of buffer sizes or offsets, leading to out-of-bounds memory access that leaks heap or stack data to an unprivileged attacker. Chromium's internal severity rating is Low, though the CVSS v3.1 score of 5.0 reflects medium severity due to the confidentiality impact and low complexity of exploitation once code execution or high system privileges are established.

Business impact

The vulnerability enables local privilege escalation reconnaissance and credential theft scenarios. An attacker already present on a Windows system could harvest authentication tokens, session cookies, or other secrets from Chrome's memory without elevated privileges, then use that information for lateral movement or account takeover. For organizations heavily dependent on Chrome for web-based applications, this represents a meaningful insider threat vector. The requirement for user interaction and local access significantly limits blast radius, but the information disclosure impact is noteworthy in high-sensitivity environments.

Affected systems

Google Chrome versions earlier than 149.0.7827.53 running on Microsoft Windows systems are vulnerable. This includes all Windows variants (Home, Pro, Enterprise) running affected Chrome versions. The vulnerability is specific to Windows due to the ETW mechanism; other operating systems are not impacted by this particular issue. Chrome on macOS, Linux, and mobile platforms are unaffected.

Exploitability

Exploitation is feasible but constrained by prerequisites. An attacker must already have local system access and user-level permissions, and must interact with or manipulate the targeted Chrome user's session. No remote code execution is required, and the attack does not require Chrome to be in any special state. However, the need for ETW event crafting and knowledge of Chromoting internals places this beyond script-kiddie range. Once a foothold exists on a target system, exploitation effort is low. No known public exploits or KEV inclusion as of the data date.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Users should enable automatic updates or manually check Chrome's About page (chrome://about/) to verify the installed version. Organizations should enforce Chrome version policies and consider blocking older versions at the network level if feasible. On Windows systems with high-value users, implement additional monitoring of ETW event generation and suspicious Chromoting process behavior.

Patch guidance

Deploy Chrome 149.0.7827.53 or newer as soon as possible. This is primarily a user-level remediation; however, enterprise administrators managing Chrome through Group Policy (Windows) or similar mechanisms should update their baseline configurations. The patch is cumulative, so updating to any version 149.0.7827.53 or higher resolves the issue. Verify patch deployment by checking chrome://version in affected browsers post-update.

Detection guidance

Monitor for suspicious ETW event generation targeting Chromoting processes, particularly non-standard or malformed events. Check process memory dumps of chrome.exe for evidence of unauthorized memory reads or heap spraying attempts. Endpoint detection and response (EDR) tools should flag unexpected interactions between user-mode processes and Chromoting subsystem components. Log Chrome version strings at login and periodically to detect outdated installations. Flag scenarios where local users attempt to interact with other users' Chrome profiles or Chromoting sessions.

Why prioritize this

While the CVSS score is medium and the vulnerability requires local access, the information disclosure impact and low complexity of exploitation once present on a system warrant prioritization for environments with insider threat concerns or where Chrome processes handle sensitive authentication data. Organizations with remote workers or BYOD programs should treat this with higher urgency. The low Chromium severity rating suggests Google's risk assessment was conservative; however, the actual attack surface in real-world credential theft scenarios is notable enough to warrant timely patching rather than deferment.

Risk score, explained

CVSS 5.0 (Medium) reflects a local attack vector with low complexity and user interaction, resulting in high confidentiality impact but no integrity or availability compromise. The score appropriately weights the threat: while not as critical as remote code execution vulnerabilities, the ability to extract secrets from memory is a meaningful risk in multi-user or high-value target environments. The discrepancy between Chromium's Low internal rating and the Medium CVSS score likely stems from different rating methodologies; trust the CVSS score for comparative prioritization across your vulnerability portfolio.

Frequently asked questions

Do I need Chrome running as administrator for this to affect me?

No. The vulnerability can be exploited by a local attacker with standard user-level permissions. However, the attacker must already have some form of code execution or the ability to generate ETW events on the same system where Chrome is running.

Does this vulnerability allow remote attackers to steal my data?

No. This is strictly a local attack requiring the attacker to already be present on your Windows system. It cannot be exploited over the network or via a malicious website.

Will updating Chrome remove any locally stored sensitive data?

Updating Chrome does not wipe stored credentials. The patch closes the integer overflow; however, if you suspect your system was compromised, consider changing important passwords after patching and running additional security diagnostics.

Does this affect Chrome on macOS or Linux?

No. The vulnerability is specific to the Windows implementation of Chromoting and ETW event handling. Chrome on macOS, Linux, and mobile platforms is not affected.

This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. No proof-of-concept or weaponized exploit code is included. Organizations should validate patch availability and compatibility in their environment before deployment. Consult vendor advisories and security bulletins for definitive technical details and official remediation guidance. This vulnerability assessment does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).