Skip to main content

Google Chrome CVE-2026-11284

| EUVDEUVD-2026-34745 MEDIUM
Improper Protection of Physical Side Channels (CWE-1300)
2026-06-05 chrome-cve-admin@google.com GHSA-mfqw-6j28-58x9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:58 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 6.5
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Side-channel information leakage via Performance APIs in Google Chrome prior to 149.0.7827.53 enables a remote attacker to read cross-origin data by luring a victim to a crafted HTML page. The CVSS confidentiality impact is rated High (C:H), yet Chromium's own security team classified this as 'Low' severity - a notable internal/external discordance suggesting practical exploitation is constrained. No public exploit code exists and EPSS stands at just 0.03% (11th percentile), consistent with the low-exploitation-probability profile typical of browser timing side-channels.

Technical ContextAI

Google Chrome's Performance APIs - including high-resolution timers such as performance.now(), Resource Timing, and Navigation Timing - expose timing measurements to JavaScript running in a page context. CWE-1300 (Improper Protection of Physical Side Channels) describes the root cause: when these APIs are insufficiently throttled or jittered, an attacker-controlled script can conduct timing-based inference attacks against cross-origin resources loaded by the victim's browser, effectively bypassing Same-Origin Policy protections without triggering a direct access violation. This class of vulnerability is related to Spectre-era cross-site leaks, where the attacker measures how long operations take rather than reading memory directly. The affected product is Google Chrome desktop across all platforms prior to version 149.0.7827.53, as confirmed by EUVD-2026-34745. No explicit CPE string was provided in source intelligence, but the affected range maps to all Chrome releases in the pre-149.0.7827.53 stable channel.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later - this is the vendor-released patch per the stable channel update announcement at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. In enterprise environments, this can be deployed via Chrome Browser Cloud Management or standard software update mechanisms. For deployments where immediate patching is not possible, Chrome's Site Isolation feature (enabled by default in modern Chrome) provides partial mitigation by isolating cross-origin processes, though it does not fully eliminate timing side-channels. Administrators may also consider enforcing strict Content Security Policy headers on owned web properties to limit JavaScript execution surface, and deploying web filtering to restrict user access to untrusted external pages, reducing the likelihood of a victim visiting a crafted exploit page. Note that disabling high-resolution timers via enterprise policy may degrade performance profiling and analytics functionality on internal web applications.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy