Description
Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from inadequate policy enforcement within DevTools in Google Chrome prior to version 149.0.7827.53. An attacker that can persuade a user to install a malicious extension can abuse this flaw to elevate privileges, as the crafted extension bypasses internal security checks. This granting of higher privileges can allow the attacker to execute privileged operations on the host system, compromising confidentiality, integrity, and availability of data stored or accessed by the browser.

Affected Systems

Google Chrome browsers on all platforms that run a version older than 149.0.7827.53 are potentially impacted. The affected product is Google Chrome itself, where the policy enforcement check was part of the DevTools module.

Risk and Exploitability

The vulnerability is listed with a medium Chromium internal severity, but no external CVSS or EPSS score is available. Because the exploit requires a user to install a malicious extension, the attack vector is social engineering. The exploit is potentially feasible if a user is deceived into installing an extension from an untrusted source. With no EPSS or KEV information, the precise likelihood of exploitation remains uncertain, yet the nature of privilege escalation warrants prompt mitigation.

Generated by OpenCVE AI on June 5, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or newer, which removes the improper policy enforcement in DevTools
  • Review and remove any extensions that were installed from untrusted or unknown sources
  • Enforce a strict extension installation policy or whitelist on enterprise systems to prevent unauthorized or malicious extensions from being installed

Generated by OpenCVE AI on June 5, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Malformed Chrome Extension
Weaknesses CWE-269

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:53.180Z

Reserved: 2026-06-04T17:06:48.275Z

Link: CVE-2026-11092

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:14.160

Modified: 2026-06-04T23:17:14.160

Link: CVE-2026-11092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:30:30Z

Weaknesses