Skip to main content

Google Chrome CVE-2026-11286

| EUVDEUVD-2026-34747 MEDIUM
Improper Input Validation (CWE-20)
2026-06-05 chrome-cve-admin@google.com GHSA-5jwx-m54q-488f
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
0.0 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:58 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 4.3
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in Wallet in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in Google Chrome's Wallet component (versions prior to 149.0.7827.53) permits a remote attacker who has already achieved renderer process compromise to manipulate the browser's payment/credential interface by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) scores this at 4.3 Medium, but the explicit renderer-compromise prerequisite in the description significantly narrows real-world attack surface beyond what those scores imply. No public exploit identified at time of analysis, EPSS sits at 0.05% (15th percentile), there is no CISA KEV listing, and Google's own Chromium team rates this Low severity - all signals converging on limited exploitation likelihood.

Technical ContextAI

The vulnerability resides in Chrome's Wallet component - the browser-native subsystem handling payment methods, autofill credentials, and related UI surfaces. CWE-20 (Improper Input Validation) identifies the root cause: the Wallet component fails to adequately validate data arriving from the renderer process before rendering it in privileged UI contexts. Chrome's architecture isolates renderer processes in a sandbox, but when a renderer is already compromised (via a separate exploit), the attacker gains the ability to inject crafted inputs across the renderer-to-browser IPC boundary. The Wallet UI, trusting that input insufficiently, can then be induced to display spoofed interface elements. Affected versions are all Chrome desktop releases below 149.0.7827.53, per EUVD-2026-34747. No CPE string was supplied in the intelligence data, but the product scope is Chrome stable channel on desktop (Windows, macOS, Linux).

RemediationAI

Upgrade Google Chrome to version 149.0.7827.53 or later; this is the vendor-released patch confirmed via the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's built-in auto-update mechanism will deliver this for most desktop users without manual intervention. Enterprise administrators who have deferred updates should prioritize deployment given that renderer-targeting vulnerabilities (the prerequisite chain) are a common focus for browser exploit kits. As a partial compensating control, disabling Chrome's Wallet and payment features via enterprise policy (setting PaymentMethodQueryEnabled to false) would reduce exposure to this specific Wallet UI path, though this eliminates payment autofill functionality as a trade-off. No other documented workarounds are available from vendor sources at time of analysis.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy