PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11120 Google CVE debrief

A critical vulnerability, CVE-2026-11120, was found in Google Chrome's Enterprise Reporting feature. This issue, caused by insufficient validation of untrusted input, allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. The vulnerability had a CVSS score of 9.6, indicating a high severity level. Google has addressed this issue in Chrome version 149.0.7827.53 and later.

Vendor
Google
Product
Chrome
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-08
Advisory published
2026-06-04
Advisory updated
2026-06-08

Who should care

Users of Google Chrome, especially those in enterprise environments, should be aware of this vulnerability and ensure they are running the latest version of Chrome (149.0.7827.53 or later) to mitigate the risk.

Technical summary

The vulnerability was caused by insufficient validation of untrusted input in Enterprise Reporting in Google Chrome prior to version 149.0.7827.53. This allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The issue had a CVSS score of 9.6 and was classified as Critical.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Ensure that all users, especially in enterprise environments, are running the updated version of Chrome.

Evidence notes

The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information and mitigation steps can be found in the Chrome release notes [ref-4].

Official resources

CVE-2026-11120 was published on 2026-06-04T23:17:17.790Z and modified on 2026-06-08T19:16:38.347Z.