sync: auto-sync from GURU-5070 at 2026-06-09 18:18:03

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-09 18:18:03

session-logs/2026-06/2026-06-09-mike-cve-2026-11645-chrome-fleet.md

@@ -0,0 +1,44 @@
+# CVE-2026-11645 — Chrome V8 zero-day: research + fleet remediation plan (IN PROGRESS)
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-5070
+- **Role:** admin
+
+## Session Summary
+
+Mike asked to research **CVE-2026-11645** and determine how to resolve it for affected agents (fleet endpoints). Researched via WebSearch (CVE is past the Jan-2026 model cutoff, so live sourcing was required). Confirmed it is a **Google Chrome V8 JavaScript-engine memory-safety zero-day** (out-of-bounds read + write) that allows remote code execution within the Chrome sandbox via a crafted HTML page, **exploited in the wild**. Google announced the fix 2026-06-08; reported 2026-04-27 by an anonymous researcher ($55K bounty).
+
+**Fixed versions:** Chrome **149.0.7827.102/.103** (Windows/macOS), **149.0.7827.102** (Linux). Anything below is affected.
+
+Remediation for the fleet was scoped but **not yet executed** (session interrupted by /save). Plan: use GuruRMM to inventory installed Chrome versions across all Windows agents, flag any below 149.0.7827.102, then force the update (relaunch Chrome / `GoogleUpdate` / winget, or set the `RelaunchNotification`/auto-update GPO). Bitdefender GravityZone patch management is the alternate channel for managed endpoints.
+
+## Key Decisions
+
+- **Live-sourced the CVE rather than answering from memory** — 2026 CVEs are past the model cutoff; never guess CVE details.
+- **GuruRMM as the primary remediation channel** — we have agent coverage + remote command execution to both inventory Chrome versions and force the update fleet-wide; this is faster/broader than waiting on Chrome's own background updater.
+
+## Configuration Changes
+
+- None yet. Created this session log only.
+
+## Infrastructure & Servers
+
+- Affected software: Google Chrome (desktop) < 149.0.7827.102 (Win/Mac), < 149.0.7827.102 (Linux).
+- Remediation tooling: GuruRMM (`http://172.16.3.30:3001`, agent fleet, `/rmm` skill); Bitdefender GravityZone (patch mgmt, `bitdefender` skill).
+
+## Commands & Outputs
+
+- Chrome version check (Windows, per-agent via GuruRMM PowerShell): read `(Get-Item "$env:ProgramFiles\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion` and the registry `HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*` / `HKLM:\SOFTWARE\Google\Chrome\BLBeacon` `version`.
+- Force update (per-agent): trigger Google Update — `& "$env:ProgramFiles (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler` or `winget upgrade --id Google.Chrome --silent --accept-source-agreements`. A relaunch is required to apply.
+
+## Pending / Incomplete Tasks
+
+- **Execute the fleet remediation:** (1) GuruRMM-dispatch a Chrome-version inventory across all Windows agents; (2) tally agents < 149.0.7827.102; (3) force update + relaunch on affected agents (or via Bitdefender patch mgmt); (4) verify post-update versions. NOT yet done.
+- Decide scope: all fleet machines vs per-client; confirm with Mike whether to push the update or just report/inventory first.
+
+## Reference Information
+
+- NVD/advisories: socprime.com/blog/cve-2026-11645-chrome-zero-day-vulnerability-exploited-in-the-wild, helpnetsecurity.com/2026/06/09/google-chrome-zero-day-cve-2026-11645, socradar.io/blog/cve-2026-11645-chrome-v8-bug, CISA KEV catalog (cisa.gov/known-exploited-vulnerabilities-catalog).
+- Fixed: Chrome 149.0.7827.102/.103 (Win/Mac), 149.0.7827.102 (Linux).
+- GuruRMM API: http://172.16.3.30:3001 ; auth vault `infrastructure/gururmm-server.sops.yaml`.