CVE-2026-11301 Overview
CVE-2026-11301 is an out-of-bounds memory access vulnerability in the LiveCaption component of Google Chrome prior to version 149.0.7827.53. The flaw stems from an inappropriate implementation in LiveCaption that processes network traffic data without proper bounds validation. A remote attacker can trigger the issue by delivering malicious network traffic to a vulnerable browser instance. Successful exploitation requires user interaction and can lead to memory disclosure or process compromise. The vulnerability is tracked under CWE-125 (Out-of-Bounds Read) and affects Chrome on Windows, macOS, and Linux desktop platforms.
Critical Impact
A remote attacker can trigger out-of-bounds memory access in Chrome's LiveCaption component via malicious network traffic, potentially leading to memory disclosure or browser process compromise.
Affected Products
- Google Chrome versions prior to 149.0.7827.53
- Chrome desktop builds on Microsoft Windows, Apple macOS, and Linux
- Any Chromium-based application embedding the affected LiveCaption code path
Discovery Timeline
- 2026-06-05 - CVE-2026-11301 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-11301
Vulnerability Analysis
The vulnerability resides in Chrome's LiveCaption feature, which provides real-time captioning for audio and video content played in the browser. LiveCaption ingests media stream data and passes it through speech recognition processing. The defect allows memory access beyond the allocated buffer when handling specially crafted input from network sources.
Because LiveCaption operates on data sourced from arbitrary remote origins, an attacker can stage a malicious page or media stream that delivers the triggering payload. Exploitation requires the victim to load attacker-controlled content while LiveCaption processing is active. Although Chromium rates the underlying severity as Low, the network-reachable attack surface and high impact on confidentiality, integrity, and availability elevate the overall risk.
Root Cause
The root cause is an improper bounds check in the LiveCaption media data handling logic. The component reads beyond the end of an allocated buffer when parsing untrusted network-supplied content. This is consistent with CWE-125, where the read operation accesses memory outside the intended buffer range.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a malicious site or media resource. When a user with LiveCaption enabled visits the site or plays the media, Chrome processes the crafted traffic and triggers the out-of-bounds read. No authentication is required. The full technical context is tracked in Chromium Issue Tracker #504180386.
No verified proof-of-concept code is publicly available. See the Chrome Release Update for the official advisory.
Detection Methods for CVE-2026-11301
Indicators of Compromise
- Chrome renderer or utility process crashes correlated with LiveCaption activity in the affected version range
- Unexpected child process termination logs referencing the speech recognition service
- Browser telemetry showing repeated media stream parsing errors from a single external origin
Detection Strategies
- Inventory all endpoints running Google Chrome and identify versions below 149.0.7827.53
- Monitor for outbound connections to suspicious media hosts when LiveCaption is enabled at the policy level
- Correlate Chrome crash dumps with the LiveCaption module to surface potential exploitation attempts
Monitoring Recommendations
- Ingest Chrome version telemetry into your SIEM and alert on hosts below the patched build
- Track GPO or MDM configuration of the LiveCaptionsAllowed policy across managed fleets
- Review web proxy logs for unusual media MIME types delivered from low-reputation domains
How to Mitigate CVE-2026-11301
Immediate Actions Required
- Update Google Chrome to version 149.0.7827.53 or later on Windows, macOS, and Linux
- Force-restart Chrome on managed endpoints to ensure the patched binary is loaded
- Audit Chromium-based browsers and Electron applications that may embed the vulnerable LiveCaption code path
Patch Information
Google released the fix in the Stable channel update documented in the Chrome Release Update. Administrators should deploy Chrome 149.0.7827.53 or later through enterprise update mechanisms. Additional technical context is available in the Chromium Issue Tracker #504180386.
Workarounds
- Disable LiveCaption via the LiveCaptionsAllowed enterprise policy until patching is complete
- Restrict browsing to trusted origins through web filtering controls
- Educate users to avoid playing media from untrusted sources while LiveCaption is enabled
# Disable LiveCaption via Chrome enterprise policy (Windows registry example)
reg add "HKLM\Software\Policies\Google\Chrome" /v LiveCaptionsAllowed /t REG_DWORD /d 0 /f
# Verify Chrome version on Linux endpoints
google-chrome --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
