Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome's SVG implementation affects all desktop versions prior to 149.0.7827.53, enabling remote attackers to exfiltrate sensitive data from other origins via a crafted HTML page. The flaw exploits Chrome's SVG rendering pipeline to violate the Same-Origin Policy, exposing confidential data such as authenticated session content or cross-site resources. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%, 11th percentile), though the zero-privilege-required, low-complexity attack path warrants prompt patching for any internet-facing user population.
Technical ContextAI
SVG (Scalable Vector Graphics) is natively parsed and rendered by Chrome's Blink rendering engine. The 'inappropriate implementation' classification (distinct from a classic memory safety bug) suggests a logic or policy enforcement error in how Chrome handles SVG elements - potentially through SVG filters, cross-document resource references, or timing side-channels - that bypasses the browser's Same-Origin Policy enforcement. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identifies the root cause class: information that should be restricted to its origin context is made accessible to an attacker-controlled context. The CVSS scope indicator S:U confirms the impact is contained within the victim's browser session rather than escaping to the underlying OS or adjacent systems. Affected CPE is Google Chrome desktop versions below 149.0.7827.53, as identified by the EUVD affected version range.
RemediationAI
Update Google Chrome to version 149.0.7827.53 or later immediately, as a vendor-released patch is confirmed available via the official stable channel update at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism should deliver this patch automatically, but administrators managing enterprise deployments should verify rollout via policy. If immediate update is not possible, restricting users to trusted sites and blocking navigation to untrusted HTML pages via content filtering can reduce exposure, though these controls are difficult to enforce comprehensively and carry usability trade-offs. Disabling JavaScript or SVG rendering via browser policy would be a severe workaround with significant functional impact and is not recommended as a practical control. For organizations with high-risk user populations, consider enforcing managed Chrome updates via Google Admin Console or equivalent MDM tooling to minimize exposure window.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34643
GHSA-5fwq-m5qh-4gf3