CVE-2026-11190 in Chrome
Summary
by MITRE • 06/05/2026
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium)
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability represents a critical flaw in Google Chrome's extension management system that existed prior to version 149.0.7827.53, fundamentally undermining the browser's discretionary access control mechanisms. The issue stems from an inadequate implementation of extension security controls that allows malicious actors to bypass normal access restrictions when users inadvertently install harmful extensions. The vulnerability operates through a sophisticated attack vector where an attacker crafts a malicious Chrome extension designed to exploit weaknesses in the browser's permission handling and access control enforcement. This flaw specifically targets the extension installation and execution pipeline, creating a pathway for unauthorized code execution that circumvents the standard security boundaries typically enforced by the operating system and browser sandboxing mechanisms.
The technical implementation weakness manifests in how Chrome processes extension metadata and permission requests during installation, failing to properly validate the extension's intended behavior against established security policies. This vulnerability falls under the broader category of access control bypass mechanisms and aligns with CWE-284 which addresses inadequate access control implementations. The flaw enables attackers to manipulate the extension installation process to gain elevated privileges or access restricted system resources that should normally be protected from extension code execution. From an operational perspective, this vulnerability creates a persistent threat vector where a single user interaction with a malicious extension can result in complete system compromise, as the extension can bypass normal file system access controls and network restrictions that typically protect user data and system integrity.
The impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally undermines the security model that Chrome relies upon to protect users from malicious software. Attackers can leverage this weakness to create extensions that appear legitimate during installation but execute malicious code with elevated privileges, potentially accessing user credentials, browsing data, or system files. The medium severity classification according to Chromium security standards reflects the significant risk this vulnerability poses to user security, particularly in environments where users may be tricked into installing extensions from untrusted sources. This flaw also aligns with ATT&CK technique T1176 which covers Browser Extensions as a means of persistence and privilege escalation, demonstrating how this vulnerability can be exploited as part of broader attack campaigns.
Organizations and users should immediately update to Chrome version 149.0.7827.53 or later to remediate this vulnerability, as the fix addresses the core implementation flaw in extension permission handling and access control enforcement. Additionally, security teams should implement strict extension management policies, including mandatory code review processes for all installed extensions and user education programs to prevent social engineering attacks that exploit this vulnerability. The remediation process should also include monitoring for suspicious extension installations and implementing browser security policies that restrict extension installation to trusted sources only, thereby reducing the attack surface and preventing exploitation of this access control bypass mechanism.