Cyber Resilience

CVE-2026-11092

HighUpdated

Published: 04 June 2026

Published
04 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0018 7.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-11092 is a high-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1176.001 Browser Extensions Persistence
Adversaries may abuse internet browser extensions to establish persistent access to victim systems.
Why these techniques?

Vulnerability in Chrome DevTools policy enforcement directly enables crafted malicious browser extensions to achieve privilege escalation after user installation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

google
chrome
≤ 149.0.7827.53

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References