Skip to main content

Google Chrome CVE-2026-11192

| EUVDEUVD-2026-34653 MEDIUM
Improper Input Validation (CWE-20)
2026-06-04 chrome-cve-admin@google.com GHSA-vwx3-v2xg-5c8h
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:30 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 4.3
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to manipulate the Password Manager's visual interface via crafted malicious network traffic, potentially deceiving users about credential prompts or password state. Exploitation requires user interaction (CVSS UI:R), limiting opportunistic mass exploitation. No public exploit code exists and no active exploitation is confirmed - EPSS sits at just 0.05% (15th percentile), consistent with a low-priority medium-severity browser component flaw. A vendor-released patch is available in Chrome 149.0.7827.53.

Technical ContextAI

The root cause is CWE-20 (Improper Input Validation): Chrome's Password Manager component fails to sufficiently validate network-supplied data before using it to render UI elements. Because browser password managers consume and display metadata sourced from network responses (e.g., form field attributes, site identity signals), an attacker-controlled server can craft responses that bypass validation and inject spoofed UI into the Password Manager interface. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the vulnerability is network-reachable with low attack complexity and no required privileges, but integrity impact is limited (I:L) and scope is unchanged, indicating the spoofing is confined to the browser UI layer rather than OS or cross-origin contexts. Affected CPE is Google Chrome desktop versions below 149.0.7827.53, as confirmed by EUVD-2026-34653.

RemediationAI

The primary remediation is upgrading Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released fix. Most Chrome installations update automatically; users should verify their version via chrome://settings/help and trigger a manual update if needed. The advisory is available at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. As a compensating control for environments that cannot update immediately, administrators can disable Chrome's built-in Password Manager via enterprise policy (PasswordManagerEnabled=false), which removes the vulnerable component from the attack surface at the cost of losing native credential autofill functionality - users would need to rely on a third-party password manager extension. Given the low EPSS and absence of active exploitation, forced emergency patching outside normal patch cycles is unlikely to be warranted for most organizations.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy