Skip to main content

Google Chrome CVE-2026-11233

| EUVDEUVD-2026-34694 MEDIUM
Improper Input Validation (CWE-20)
2026-06-04 chrome-cve-admin@google.com GHSA-r3q4-gcgj-mfrp
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
8.7 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 14:24 vuln.today
CVSS changed
Jun 05, 2026 - 14:22 NVD
4.7 (None) 4.7 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 4.7

DescriptionCVE.org

Insufficient policy enforcement in FoldableAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Same-origin policy bypass in Google Chrome's FoldableAPIs component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data by delivering a crafted HTML page. Rated Medium (CVSS 4.7) with a Changed scope, this is a second-stage exploit primitive - not a standalone critical - requiring a pre-existing renderer compromise before it is triggerable. EPSS at 0.02% (6th percentile), SSVC exploitation status of 'none', and Google's internal 'Low' severity rating collectively confirm this is a patch-on-schedule rather than emergency-response priority. No public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in Chrome's FoldableAPIs, a Chromium component exposing platform-specific APIs related to foldable display device features. The root cause is CWE-20 (Improper Input Validation) - the FoldableAPIs implementation fails to sufficiently validate or enforce policy constraints at the renderer layer, allowing an already-compromised renderer to violate the Same-Origin Policy (SOP), the browser's foundational security boundary isolating content across web origins. The CVSS Scope:Changed (S:C) attribute is analytically significant: it confirms the vulnerability crosses a defined security boundary - from the compromised renderer context into broader browser-level policy enforcement - even though impact is limited to partial confidentiality (C:L). Affected versions span all Chrome Desktop releases prior to 149.0.7827.53, as confirmed by the ENISA EUVD entry EUVD-2026-34694. No CPE string was provided in the input data.

RemediationAI

The primary fix is to update Google Chrome to version 149.0.7827.53 or later; this is a vendor-released patch confirmed by both the Chrome Releases advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html) and the ENISA EUVD entry EUVD-2026-34694. Chrome auto-updates by default - administrators managing enterprise fleets should verify that endpoints have received the update via their browser management console (e.g., Google Admin, Tanium, or equivalent). As a compensating control specifically relevant to this vulnerability's prerequisites, enforcing strict site isolation via the Chrome enterprise policy 'SitePerProcess' reduces the blast radius of any renderer-compromise exploit that could chain into this bypass; note this policy may increase memory usage in environments with many open tabs. Organizations unable to patch immediately should audit whether FoldableAPIs-adjacent features are in active use and consider blocking access to foldable-device-specific API endpoints via Content Security Policy where feasible, though the trade-off is potential breakage of legitimate foldable device experiences.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy