CVE-2026-11267 - Vulnerability Details

Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apple	Macos
Google	Chrome
Linux	Linux Kernel
Microsoft	Windows

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

References

Link	Providers
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/500528267
https://nvd.nist.gov/vuln/detail/CVE-2026-11267
https://www.cve.org/CVERecord?id=CVE-2026-11267

History

Mon, 08 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Chrome Extension Bypasses Content Security Policy	chromium-browser: Insufficient policy enforcement in Extensions
Weaknesses		CWE-79
References		https://nvd.nist.gov/vuln/detail/CVE-2026-11267 https://www.cve.org/CVERecord?id=CVE-2026-11267
Metrics	threat_severity `None`	threat_severity `Low`

Fri, 05 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Title		Chrome Extension Bypasses Content Security Policy

Fri, 05 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Title	Extension Policy Bypass via Malicious Chrome Extension
Weaknesses	CWE-264 CWE-284

Fri, 05 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 05 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-602
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Fri, 05 Jun 2026 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 05 Jun 2026 01:15:00 +0000

Type	Values Removed	Values Added
Title		Extension Policy Bypass via Malicious Chrome Extension
Weaknesses		CWE-264 CWE-284

Thu, 04 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)
References		https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500528267

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-06-04T23:06:11.164Z

Updated: 2026-06-05T19:36:56.848Z

Reserved: 2026-06-04T17:11:09.948Z

Link: CVE-2026-11267

Vulnrichment

Updated: 2026-06-05T19:36:46.880Z

NVD

Status : Analyzed

Published: 2026-06-05T00:17:03.637

Modified: 2026-06-08T14:18:14.973

Link: CVE-2026-11267

Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11267 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object