Skip to main content

Google Chrome CVE-2026-11289

| EUVDEUVD-2026-34750 MEDIUM
Improper Protection of Physical Side Channels (CWE-1300)
2026-06-05 chrome-cve-admin@google.com GHSA-pgjw-xwmc-8p56
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 21:00 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 6.5
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Side-channel information leakage in the Paint component of Google Chrome prior to 149.0.7827.53 enables cross-origin data theft via a crafted HTML page requiring only victim interaction. The CVSS 6.5 rating reflects high confidentiality impact with no attacker privileges required, but real-world risk is tempered by mandatory user interaction, Chromium's own 'Low' severity classification, and an EPSS exploitation probability of just 0.03% (11th percentile). No public exploit has been identified at time of analysis, and a vendor-released patch is available in Chrome 149.0.7827.53.

Technical ContextAI

CWE-1300 (Improper Protection of Physical Side Channels) in this context describes a software-level side-channel within Chrome's Paint rendering subsystem, which handles pixel compositing and visual output. The flaw allows a crafted HTML page to observe differences in rendering timing, state, or pixel data in ways that correlate with content loaded from a different origin - violating the browser's Same-Origin Policy. This class of vulnerability typically exploits measurable differences in how the rendering engine processes cross-origin resources (e.g., cached vs. uncached images, composited layers). Affected products per EUVD EUVD-2026-34750: Google Chrome desktop versions prior to 149.0.7827.53.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later - this is the vendor-released patch confirmed in the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's automatic update mechanism will handle this for most consumer installations. Enterprise administrators should push the update via Chrome Browser Cloud Management or Group Policy Object (GPO) and verify deployment with chrome://policy. If immediate patching is blocked by change-freeze policies, a compensating control is to enforce navigation restrictions via proxy or DNS filtering to prevent users from reaching untrusted external HTML content - this has significant usability costs and does not address attacks delivered via compromised trusted sites or ads. Disabling JavaScript entirely would also block the attack vector but renders most web applications non-functional.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy