Skip to main content

Google Chrome CVE-2026-11195

| EUVDEUVD-2026-34656 MEDIUM
Origin Validation Error (CWE-346)
2026-06-04 chrome-cve-admin@google.com GHSA-jcc7-f4j6-p6gf
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:32 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 6.5
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in MHTML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in Google Chrome's MHTML implementation prior to version 149.0.7827.53 exposes sensitive user data to remote attackers via crafted HTML pages. The flaw stems from improper origin validation (CWE-346) in MHTML handling, allowing an attacker-controlled page to read data across origin boundaries - a significant breach of the browser's same-origin policy. Exploitation requires convincing a victim to perform specific UI gestures, and no public exploit or active exploitation has been identified at time of analysis; EPSS probability is very low at 0.03% (11th percentile).

Technical ContextAI

MHTML (MIME HTML, RFC 2557) is a web archive format that bundles HTML documents with embedded resources (images, scripts, stylesheets) into a single MIME-encoded file. Google Chrome's MHTML processing component contained an 'inappropriate implementation' - classified under CWE-346 (Origin Validation Error) - meaning the engine failed to correctly enforce that cross-origin resources cannot be read by a requesting page. This breaks the fundamental browser Same-Origin Policy (SOP) contract. The affected product is Google Chrome across desktop platforms prior to stable release 149.0.7827.53, as confirmed by EUVD-2026-34656 and Google's Chrome Releases advisory. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates the vulnerability is exploitable over the network, requires no authentication, but does require user interaction, with high confidentiality impact and no impact on integrity or availability.

RemediationAI

The primary remediation is to upgrade Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released fix as documented in the Google Chrome Releases blog at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's automatic update mechanism should deliver this update to most users without manual intervention; administrators managing enterprise deployments should push the update via policy. As a compensating control where immediate patching is not possible, consider blocking or disabling MHTML file handling at the enterprise proxy or endpoint level, though this may break legitimate use of .mht/.mhtml web archive files. Additionally, security awareness guidance discouraging users from performing unexpected UI gestures on unfamiliar web pages can reduce exploitation surface, though this is not a technical control and has limited reliability. No significant side effects of the patch itself have been reported.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy