What is the CVSS score of CVE-2026-11665?

CVE-2026-11665 has a contested CVSS base score of 4.3 from a third party (e.g. CISA-ADP), while the vendor rates it Medium. vuln.today uses the vendor rating as authoritative.

Is there a patch available for CVE-2026-11665?

Yes, a patch is available for CVE-2026-11665. Update the affected software to the latest version immediately.

Google Chrome CVE-2026-11665

EUVD-2026-35265 MEDIUM

Out-of-bounds Read (CWE-125)

2026-06-09 chrome-cve-admin@google.com

GHSA-5mhg-rh4j-h587

Information Disclosure Google Microsoft Buffer Overflow Red Hat Suse

Medium

Disputed · 4.3 NVD

Severity by source

Sources disagree (Medium–Critical)

NVD PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

SUSE

CRITICAL

qualitative

Red Hat

6.5 HIGH

qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 03:00 vuln.today

CVSS changed

Jun 09, 2026 - 02:22 NVD

4.3 (MEDIUM)

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 00:16 nvd

MEDIUM 4.3

DescriptionCVE.org

Out of bounds read in Dawn in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Out-of-bounds read in Dawn, Chrome's WebGPU graphics API layer, on Windows enables unauthenticated remote attackers to leak cross-origin data by serving a crafted HTML page. Affected versions of Google Chrome on Windows are all releases prior to 149.0.7827.103. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Host crafted HTML page with WebGPU payload

Delivery

Deliver link to target via phishing or malvertising

Exploit

Target opens page in Chrome on Windows

Execution

Dawn processes WebGPU content, triggering OOB read

Persist

Cross-origin memory contents exposed to renderer

Impact

Attacker JavaScript reads and exfiltrates leaked data

Access

Host crafted HTML page with WebGPU payload

Delivery

Deliver link to target via phishing or malvertising

Exploit

Target opens page in Chrome on Windows

Execution

Dawn processes WebGPU content, triggering OOB read

Persist

Cross-origin memory contents exposed to renderer

Impact

Attacker JavaScript reads and exfiltrates leaked data

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target to be running Google Chrome on Windows (platform-specific; not confirmed exploitable on macOS or Linux). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS score of 4.3 (Medium) reflects a constrained but real risk: network-reachable (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but user interaction is required (UI:R) and confidentiality impact is limited (C:L) with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker hosts a crafted HTML page that triggers the Dawn out-of-bounds read when rendered by Chrome's WebGPU pipeline on Windows. When a target user visits the page - via phishing link, malicious ad, or compromised site - the OOB read exposes memory containing cross-origin data such as content from other open tabs, authentication tokens, or rendered page data, which the attacker's JavaScript can then exfiltrate. …
Remediation	The primary fix is to update Google Chrome to version 149.0.7827.103 or later on Windows - this is a vendor-released patch confirmed by the Chrome stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11665 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11665

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code