Skip to main content

Google Chrome CVE-2026-11196

| EUVDEUVD-2026-34657 MEDIUM
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-06-04 chrome-cve-admin@google.com GHSA-g4vh-hh62-jgqc
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:33 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 6.5
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Type Confusion in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted XML file. (Chromium security severity: Medium)

AnalysisAI

Type confusion in Google Chrome's XML processing engine exposes process memory contents to remote attackers who can deliver a crafted XML file to a victim. Versions prior to 149.0.7827.53 are affected, with confidentiality impact rated High (C:H) despite an overall CVSS score of 6.5 due to the required user interaction. No public exploit code has been identified and EPSS stands at 0.03% (11th percentile), indicating low observed exploitation pressure; no KEV listing confirms active exploitation at this time.

Technical ContextAI

The root cause is CWE-843 (Type Confusion), in which Chrome's XML subsystem incorrectly handles the type of an object during parsing of a specially crafted XML file. When a type confusion occurs in a memory-managed environment such as Chromium's renderer process, it can allow a read operation to be performed against unintended memory regions, leaking potentially sensitive data held in the process at that time - such as cookies, session tokens, or heap-resident credentials. The vulnerability resides in Chromium's XML parsing component and is classified at Chromium security severity Medium. Affected product is Google Chrome (all platforms) on versions prior to 149.0.7827.53, as documented in EUVD-2026-34657 and the Chrome stable channel release advisory.

RemediationAI

Vendor-released patch: Chrome 149.0.7827.53. Users and administrators should update all Chrome installations to version 149.0.7827.53 or later using Chrome's built-in update mechanism (Settings > Help > About Google Chrome) or via enterprise deployment tools such as Google Update or managed browser policy. The official advisory is at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. If immediate patching is not feasible, a compensating control is to restrict or block access to untrusted XML-delivering sources at the network perimeter or endpoint (e.g., content filtering to block delivery of application/xml and text/xml MIME types from non-trusted origins), though this may disrupt legitimate XML-based web applications. Browser isolation or sandboxed browsing environments can reduce the impact of memory disclosure by limiting what sensitive data resides in the renderer process.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy