What is the CVSS score of CVE-2026-11696?

CVE-2026-11696 has a contested CVSS base score of 5.3 from a third party (e.g. CISA-ADP), while the vendor rates it Medium. vuln.today uses the vendor rating as authoritative.

Is there a patch available for CVE-2026-11696?

Yes, a patch is available for CVE-2026-11696. Update the affected software to the latest version immediately.

Google Chrome CVE-2026-11696

EUVD-2026-35222 MEDIUM

Use of Uninitialized Variable (CWE-457)

2026-06-09 chrome-cve-admin@google.com

GHSA-v3jc-6f63-gr4g

Information Disclosure Google Microsoft Red Hat Suse

Medium

Disputed · 5.3 NVD

Severity by source

Sources disagree (Medium–Critical)

NVD PRIMARY

5.3 MEDIUM

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

SUSE

CRITICAL

qualitative

Red Hat

6.5 HIGH

qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 02:56 vuln.today

CVSS changed

Jun 09, 2026 - 02:22 NVD

5.3 (MEDIUM)

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 00:16 nvd

MEDIUM 5.3

DescriptionCVE.org

Uninitialized Use in Video in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Uninitialized memory use in the Video component of Google Chrome on Windows (prior to 149.0.7827.103) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by directing the victim to a crafted HTML page. The vulnerability is Windows-specific, rated High severity by Chromium's internal scale, and carries a CVSS 5.3 due to the high attack complexity and required user interaction stacking atop the renderer-compromise prerequisite. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Exploit separate renderer RCE vulnerability

Delivery

Establish attacker control of renderer process

Exploit

Direct victim to crafted HTML page with malicious video

Execution

Trigger uninitialized memory read in Video component

Persist

Extract process memory contents

Impact

Use leaked data (addresses, secrets) to enable further exploitation

Access

Exploit separate renderer RCE vulnerability

Delivery

Establish attacker control of renderer process

Exploit

Direct victim to crafted HTML page with malicious video

Execution

Trigger uninitialized memory read in Video component

Persist

Extract process memory contents

Impact

Use leaked data (addresses, secrets) to enable further exploitation

Vulnerability AssessmentAI

Exploitation	Two stacked prerequisites are required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 5.3 score (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) accurately reflects a moderate-priority issue constrained by significant real-world barriers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has separately achieved renderer process compromise - for example via an unpatched renderer RCE - serves a crafted HTML page containing malicious video content to a Windows target. The Video component reads from uninitialized memory, and the attacker extracts the resulting data to recover heap addresses, stack canaries, or in-memory secrets, using that information to defeat ASLR or locate sensitive data before chaining to a privilege escalation. …
Remediation	Update Google Chrome on Windows to version 149.0.7827.103 or later - this is the vendor-released patch confirmed by both the Google Stable Channel advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html) and EUVD-2026-35222. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-11696 vulnerability details – vuln.today

Back

Google Chrome CVE-2026-11696

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code