Skip to main content

Google Chrome CVE-2026-11684

| EUVD-2026-35210 LOW
Protection Mechanism Failure (CWE-693)
2026-06-09 chrome-cve-admin@google.com GHSA-m67c-5qcr-q2mm
Information Disclosure Google
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 02:58 vuln.today
CVSS changed
Jun 09, 2026 - 02:22 NVD
3.1 (LOW)
CVE Published
Jun 09, 2026 - 00:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Insufficient network policy enforcement in Google Chrome prior to 149.0.7827.103 allows a remote unauthenticated attacker - who has already compromised the browser's utility process - to leak cross-origin data by luring a victim to a crafted HTML page. The confidentiality impact is limited and scoped unchanged, yielding a CVSS base score of just 3.1 (Low). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exploit separate Chrome utility process vulnerability
Delivery
Achieve utility process compromise
Exploit
Craft malicious HTML page
Execution
Lure victim to crafted page (user interaction)
Persist
Trigger network policy enforcement bypass
Impact
Leak cross-origin response data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires two mandatory preconditions: (1) the attacker must have already compromised the Google Chrome utility process through a separate, independent vulnerability - this is the dominant limiting factor and makes this a chained, second-stage attack rather than a standalone exploit; and (2) user interaction is required (UI:R), meaning the victim must visit or be redirected to a crafted HTML page controlled by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 3.1 (Low) accurately reflects the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already achieved compromise of the Chrome utility process - through a separate, unrelated vulnerability - then serves the victim a crafted HTML page that triggers the insufficient network policy enforcement. When the victim visits the page, the compromised utility process bypasses cross-origin data isolation, allowing the attacker to exfiltrate limited cross-origin data such as response bodies or headers from other origins the victim is authenticated to. …
Remediation The primary fix is upgrading Google Chrome to version 149.0.7827.103 or later, as confirmed by the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11684 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy