CVE-2026-11658 Overview
CVE-2026-11658 is a site isolation bypass in Google Chrome's Extensions component caused by insufficient validation of untrusted input. The flaw affects Chrome versions prior to 149.0.7827.103 on Windows, macOS, and Linux. A remote attacker who has already compromised the renderer process can serve a crafted HTML page to escape the isolation boundary that Chrome enforces between sites. Chromium engineers rated the underlying issue High severity, while the NVD assigns a CVSS 3.1 score of 6.5 (Medium). The weakness maps to [CWE-20] Improper Input Validation. Successful exploitation undermines the same-origin guarantees that browsers rely on to keep tabs, extensions, and cross-site content separated.
Critical Impact
An attacker chaining this bug with a prior renderer compromise can bypass Chrome site isolation and access data belonging to other origins through a crafted HTML page.
Affected Products
- Google Chrome prior to 149.0.7827.103 on Microsoft Windows
- Google Chrome prior to 149.0.7827.103 on Apple macOS
- Google Chrome prior to 149.0.7827.103 on Linux
Discovery Timeline
- 2026-06-09 - CVE-2026-11658 published to the National Vulnerability Database
- 2026-06-10 - CVE-2026-11658 record last modified in NVD
Technical Details for CVE-2026-11658
Vulnerability Analysis
The vulnerability resides in Chrome's Extensions subsystem, which mediates messaging and resource access between extension contexts and web pages. Chrome enforces site isolation by placing documents from different sites into separate renderer processes. The Extensions layer must validate inputs that cross the renderer-to-browser boundary so that a compromised renderer cannot impersonate another origin. In affected builds, this validation is incomplete. An attacker who already controls a renderer process can deliver a crafted HTML page that supplies malformed extension-related input, prompting the browser to honor cross-origin operations it would normally reject. User interaction is required, consistent with the need to load attacker-controlled content. The result is a confidentiality and integrity break of the site isolation boundary, though the issue does not directly grant code execution on the host.
Root Cause
The root cause is improper input validation [CWE-20] in extension handling code paths. Chrome trusts certain structured input from the renderer when routing extension messages and resource requests. Without strict checks on origin, frame identity, and message shape, a malicious renderer can craft payloads that the browser process treats as legitimate cross-site requests, defeating per-site process separation.
Attack Vector
Exploitation is network-reachable and requires user interaction, typically loading a malicious page in a vulnerable Chrome build. The attacker must already have compromised a renderer process, which is usually achieved by chaining this bug with a separate renderer vulnerability. Once chained, the crafted HTML page triggers the extension input-handling flaw and bypasses site isolation, exposing data from other origins rendered in the same browser instance. No specific exploitation code is published in the referenced advisories. Refer to the Chromium Issue Tracker Entry and the Chrome Stable Channel Update for vendor detail.
Detection Methods for CVE-2026-11658
Indicators of Compromise
- Chrome browser processes running versions earlier than 149.0.7827.103 after the patch release window.
- Renderer process crashes or unexpected termination events preceding anomalous cross-origin data access in browser telemetry.
- Outbound connections from endpoints to attacker-controlled domains immediately after loading untrusted HTML content.
Detection Strategies
- Inventory deployed Chrome versions across the fleet and flag any installation below 149.0.7827.103.
- Correlate web proxy logs with endpoint browsing activity to identify users visiting newly registered or low-reputation domains hosting crafted HTML pages.
- Hunt for extension manifest changes and unexpected extension installations that could be used to stage renderer compromise chains.
Monitoring Recommendations
- Enable browser-side reporting such as Chrome Enterprise Reporting to track version compliance and crash events.
- Monitor process telemetry for chrome.exe or chrome child processes spawning unusual children or generating high-volume IPC errors.
- Alert on extension installations from sources outside the managed allowlist defined in enterprise policy.
How to Mitigate CVE-2026-11658
Immediate Actions Required
- Update Google Chrome to version 149.0.7827.103 or later on all Windows, macOS, and Linux endpoints.
- Force-restart Chrome after deployment so the new binary loads in active user sessions.
- Audit installed extensions and remove any that are unsigned, sideloaded, or outside the corporate allowlist.
Patch Information
Google fixed CVE-2026-11658 in the Chrome stable channel build 149.0.7827.103. Patch details and the full set of co-released fixes are documented in the Chrome Releases announcement. Enterprises using Chrome Browser Cloud Management or MDM tooling should push the updated version through standard update channels and verify version compliance.
Workarounds
- Restrict extension installation to a managed allowlist using the ExtensionInstallAllowlist and ExtensionInstallBlocklist enterprise policies until patching completes.
- Block access to untrusted web content through secure web gateway category filtering and DNS filtering.
- Encourage users to avoid clicking links from unsolicited sources until all endpoints are on 149.0.7827.103 or later.
# Verify installed Chrome version on Linux/macOS
google-chrome --version
# Windows PowerShell version check
(Get-Item "$Env:ProgramFiles\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion
# Example enterprise policy snippet (Linux JSON policy)
# /etc/opt/chrome/policies/managed/chrome_policy.json
{
"ExtensionInstallAllowlist": ["<extension-id-1>", "<extension-id-2>"],
"ExtensionInstallBlocklist": ["*"]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
