Skip to main content

Google Chrome EUVDEUVD-2026-34642

| CVE-2026-11181 MEDIUM
Origin Validation Error (CWE-346)
2026-06-04 chrome-cve-admin@google.com GHSA-rc7x-69vh-7p5q
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
8.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 17:32 vuln.today
CVSS changed
Jun 05, 2026 - 17:22 NVD
6.3 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 6.3

DescriptionCVE.org

Inappropriate implementation in Media Session in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Same-origin policy bypass in Google Chrome's Media Session component (prior to 149.0.7827.53) enables remote attackers to violate cross-origin isolation via a crafted HTML page. The vulnerability stems from an inappropriate implementation (CWE-346: Origin Validation Error) in the Media Session API, which fails to properly enforce origin boundaries. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; EPSS sits at 0.02% (4th percentile), consistent with low observed exploitation activity.

Technical ContextAI

The Media Session API is a browser feature that allows web pages to provide metadata about media playback (title, artist, artwork) and handle media control actions from the OS or browser UI. CWE-346 (Origin Validation Error) indicates the implementation fails to correctly validate that cross-origin access attempts are rejected - a fundamental contract of the Same-Origin Policy (SOP). In Chrome's architecture, Media Session logic lives in the renderer process; an improper origin check here can allow one origin to influence or read state belonging to another. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U) confirms this is a network-delivered, low-complexity attack requiring only a single user interaction (visiting the page), with no privileges needed. Affected product per EUVD: Chrome versions in the range < 149.0.7827.53.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later, which is confirmed as the vendor-released patch per the Chrome stable channel update blog at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome auto-updates for most users; administrators managing enterprise deployments should verify rollout via Google Admin Console or their software management tooling. If immediate patching is not possible, a compensating control is to restrict user access to untrusted web content via browser policy (URL allowlisting), though this significantly impacts normal browsing. Disabling JavaScript broadly would also prevent exploitation of crafted HTML pages but is operationally impractical in most environments. The chromium issue tracker entry at https://issues.chromium.org/issues/502633299 may provide additional technical detail once the disclosure embargo lifts.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy