Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Side-channel information leakage via Performance APIs in Google Chrome prior to 149.0.7827.53 enables a remote attacker to read cross-origin data by luring a victim to a crafted HTML page. The CVSS confidentiality impact is rated High (C:H), yet Chromium's own security team classified this as 'Low' severity - a notable internal/external discordance suggesting practical exploitation is constrained. No public exploit code exists and EPSS stands at just 0.03% (11th percentile), consistent with the low-exploitation-probability profile typical of browser timing side-channels.
Technical ContextAI
Google Chrome's Performance APIs - including high-resolution timers such as performance.now(), Resource Timing, and Navigation Timing - expose timing measurements to JavaScript running in a page context. CWE-1300 (Improper Protection of Physical Side Channels) describes the root cause: when these APIs are insufficiently throttled or jittered, an attacker-controlled script can conduct timing-based inference attacks against cross-origin resources loaded by the victim's browser, effectively bypassing Same-Origin Policy protections without triggering a direct access violation. This class of vulnerability is related to Spectre-era cross-site leaks, where the attacker measures how long operations take rather than reading memory directly. The affected product is Google Chrome desktop across all platforms prior to version 149.0.7827.53, as confirmed by EUVD-2026-34745. No explicit CPE string was provided in source intelligence, but the affected range maps to all Chrome releases in the pre-149.0.7827.53 stable channel.
RemediationAI
Update Google Chrome to version 149.0.7827.53 or later - this is the vendor-released patch per the stable channel update announcement at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. In enterprise environments, this can be deployed via Chrome Browser Cloud Management or standard software update mechanisms. For deployments where immediate patching is not possible, Chrome's Site Isolation feature (enabled by default in modern Chrome) provides partial mitigation by isolating cross-origin processes, though it does not fully eliminate timing side-channels. Administrators may also consider enforcing strict Content Security Policy headers on owned web properties to limit JavaScript execution surface, and deploying web filtering to restrict user access to untrusted external pages, reducing the likelihood of a victim visiting a crafted exploit page. Note that disabling high-resolution timers via enterprise policy may degrade performance profiling and analytics functionality on internal web applications.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34745
GHSA-mfqw-6j28-58x9