Description
Inappropriate implementation in Installer in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an inappropriate implementation in the Chrome installer for Windows. A malicious file present during installation can be used by a local attacker to gain operating‑system level privileges, effectively compromising the host machine. This allows the attacker to execute arbitrary code with elevated rights.

Affected Systems

The affected product is Google Chrome for Windows. Versions before 149.0.7827.53 are vulnerable. Users of any Windows workstation running these Chrome releases are at risk.

Risk and Exploitability

The vulnerability is rated high severity with a CVSS score of 7.8. The EPSS score is below 1%, indicating a very low probability of exploitation, and the issue is not listed in CISA's KEV catalog. Exploitation requires local access to an untrusted file during the Chrome installation process; it is not a remote attack. A local attacker can trigger the malicious installer to execute code with elevated privileges, giving them OS-level control. Because the attack surface is limited to environments where the installer can be modified, the window of exploitation is narrow.

Generated by OpenCVE AI on June 7, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later.
  • Verify that the installer is downloaded from the official Google Chrome website and check the checksum before installation.
  • Restrict installation privileges for untrusted users and enforce software restriction policies to block unauthorized executables during installation.

Generated by OpenCVE AI on June 7, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Inappropriate implementation in Installer
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Chrome Installer Privilege Escalation on Windows

Sat, 06 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Sat, 06 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Title Chrome Installer Privilege Escalation on Windows

Sat, 06 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Malicious Installer in Google Chrome for Windows
Weaknesses CWE-238

Sat, 06 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Malicious Installer in Google Chrome for Windows
Weaknesses CWE-238

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Installer in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T12:16:54.658Z

Reserved: 2026-06-04T17:06:50.888Z

Link: CVE-2026-11103

cve-icon Vulnrichment

Updated: 2026-06-06T02:54:27.262Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:15.860

Modified: 2026-06-08T14:45:42.153

Link: CVE-2026-11103

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11103 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:15:46Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-269

    Improper Privilege Management