Skip to main content

Google Chrome CVE-2026-11685

| EUVD-2026-35211 MEDIUM
Improper Input Validation (CWE-20)
2026-06-09 chrome-cve-admin@google.com GHSA-6v8q-g97g-72xj
Information Disclosure Google Red Hat Suse
Medium
Disputed · 4.3 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
SUSE
CRITICAL
qualitative
Red Hat
7.4 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 02:58 vuln.today
CVSS changed
Jun 09, 2026 - 02:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 00:16 nvd
MEDIUM 4.3

DescriptionCVE.org

Inappropriate implementation in MediaCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Cross-origin data leakage in Google Chrome's MediaCapture implementation on macOS allows a remote attacker to read data from other origins by enticing a user to visit a specially crafted HTML page. Affected versions are all Chrome releases on Mac prior to 149.0.7827.103. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious HTML page invoking MediaCapture API
Delivery
Deliver page link to Mac Chrome user via phishing or compromised site
Exploit
User visits page and browser loads crafted content
Execution
Improper input validation in Mac MediaCapture code triggered
Impact
Cross-origin data leaked to attacker-controlled context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is running Google Chrome on macOS at a version prior to 149.0.7827.103 - Windows and Linux users are not affected by this CVE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 Medium score reflects a realistic but bounded threat: the attack vector is network (AV:N) with low complexity (AC:L), no privileges required (PR:N), but mandatory user interaction (UI:R), and the scope is unchanged (S:U) with only low confidentiality impact (C:L) and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts or injects a crafted HTML page that invokes the MediaCapture API in a manner that exploits the improper input validation flaw, causing Chrome on Mac to inadvertently expose data from a cross-origin context (e.g., contents of a page the victim has open in another tab or authenticated session data). The attacker delivers the page to the victim via a phishing email link, malicious advertisement, or compromised third-party site. …
Remediation Update Google Chrome on Mac to version 149.0.7827.103 or later. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-11685 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy