Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient policy enforcement in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 arises from insufficient policy enforcement in the CSS subsystem, allowing unauthenticated remote attackers to read data across origin boundaries by directing a user to a crafted HTML page. The CVSS vector scores high confidentiality impact (C:H) with no privileges required (PR:N), though mandatory user interaction (UI:R) is a prerequisite. No public exploit has been identified at time of analysis, EPSS probability is very low at 0.03% (11th percentile), and Chromium's own internal severity rating is 'Low' - all signals consistent with limited real-world exploitation risk despite the elevated CVSS confidentiality impact.
Technical ContextAI
The vulnerability is rooted in CWE-693 (Protection Mechanism Failure), meaning Chrome's CSS engine fails to properly enforce isolation or same-origin policy controls that should prevent one origin from reading data belonging to another. CSS-based cross-origin attacks commonly abuse rendering side effects, timing channels, or features such as @import rules, CSS custom properties, or font/resource loading behavior to infer or directly extract cross-origin content. The affected product is Google Chrome for desktop (Windows, macOS, Linux), versions below 149.0.7827.53, as confirmed by the EUVD CPE range 'Chrome <149.0.7827.53'. The Chromium bug tracker reference (issues.chromium.org/issues/502231588) likely contains additional technical detail but may be access-restricted per Google's standard disclosure policy.
RemediationAI
Update Google Chrome to version 149.0.7827.53 or later using the browser's built-in update mechanism (Menu > Help > About Google Chrome) or via enterprise deployment tools such as Google Admin Console for managed fleets. The vendor-released patch is documented at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. As a compensating control pending update in environments where browser updates require staged rollouts, restricting users to trusted web destinations via proxy allowlists or browser isolation platforms reduces exposure to attacker-crafted pages, though this imposes usability trade-offs. Enforcing strict Content Security Policy headers on internally managed web properties does not mitigate the vulnerability in Chrome itself but limits the attacker's ability to host the crafted payload on controlled infrastructure.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34749
GHSA-2g9m-m94r-h996