Skip to main content

Chrome for iOS CVE-2026-11298

| EUVDEUVD-2026-34759 MEDIUM
Origin Validation Error (CWE-346)
2026-06-05 chrome-cve-admin@google.com GHSA-hfpq-rxj4-wgm5
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:37 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
4.3 (None) 4.3 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 4.3

DescriptionCVE.org

Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Same-origin policy bypass in Google Chrome on iOS prior to 149.0.7827.53 allows a remote, unauthenticated attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation (CWE-346) in the iOS-specific Chrome codebase, meaning the iOS browser incorrectly validates origin boundaries in a way the desktop build does not. No active exploitation is confirmed (no CISA KEV listing), EPSS is 0.02% (4th percentile), and SSVC rates exploitation as none - placing this firmly in a routine patching priority rather than an emergency response.

Technical ContextAI

CWE-346 (Origin Validation Error) indicates that Chrome's iOS implementation fails to correctly enforce same-origin policy (SOP) checks in at least one code path. SOP is the foundational browser security boundary preventing scripts in one origin (scheme+host+port) from reading or writing data belonging to another origin. The affected component is specific to Chrome's iOS port - likely a WebKit-layer interaction or a custom iOS rendering/navigation path - distinguishing it from Chromium's standard Blink-based desktop implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the attack is fully network-delivered, requires no privilege, and results in limited integrity impact with no confidentiality or availability loss. The affected CPE range is Google Chrome on iOS versions below 149.0.7827.53 per EUVD-2026-34759.

RemediationAI

Update Google Chrome on iOS to version 149.0.7827.53 or later via the Apple App Store. This is the vendor-released patch as confirmed by the Chrome Releases advisory (chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html) and the Chromium issue tracker (issues.chromium.org/issues/502503860). Because the CVSS integrity impact is limited (I:L) and EPSS is at the 4th percentile, emergency rollout is unlikely warranted; inclusion in the next scheduled mobile endpoint management patch cycle is appropriate for most organizations. No workarounds or compensating controls are documented by the vendor. For organizations unable to update immediately, restricting users from opening untrusted HTML links in Chrome for iOS (e.g., via MDM policy enforcing Safari as the default browser, or user awareness guidance) reduces exposure surface, but carries usability trade-offs.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-11298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy