Skip to main content

Google Chrome EUVDEUVD-2026-34643

| CVE-2026-11182 MEDIUM
Information Exposure (CWE-200)
2026-06-04 chrome-cve-admin@google.com GHSA-5fwq-m5qh-4gf3
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:29 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 6.5

DescriptionCVE.org

Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in Google Chrome's SVG implementation affects all desktop versions prior to 149.0.7827.53, enabling remote attackers to exfiltrate sensitive data from other origins via a crafted HTML page. The flaw exploits Chrome's SVG rendering pipeline to violate the Same-Origin Policy, exposing confidential data such as authenticated session content or cross-site resources. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%, 11th percentile), though the zero-privilege-required, low-complexity attack path warrants prompt patching for any internet-facing user population.

Technical ContextAI

SVG (Scalable Vector Graphics) is natively parsed and rendered by Chrome's Blink rendering engine. The 'inappropriate implementation' classification (distinct from a classic memory safety bug) suggests a logic or policy enforcement error in how Chrome handles SVG elements - potentially through SVG filters, cross-document resource references, or timing side-channels - that bypasses the browser's Same-Origin Policy enforcement. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identifies the root cause class: information that should be restricted to its origin context is made accessible to an attacker-controlled context. The CVSS scope indicator S:U confirms the impact is contained within the victim's browser session rather than escaping to the underlying OS or adjacent systems. Affected CPE is Google Chrome desktop versions below 149.0.7827.53, as identified by the EUVD affected version range.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later immediately, as a vendor-released patch is confirmed available via the official stable channel update at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism should deliver this patch automatically, but administrators managing enterprise deployments should verify rollout via policy. If immediate update is not possible, restricting users to trusted sites and blocking navigation to untrusted HTML pages via content filtering can reduce exposure, though these controls are difficult to enforce comprehensively and carry usability trade-offs. Disabling JavaScript or SVG rendering via browser policy would be a severe workaround with significant functional impact and is not recommended as a practical control. For organizations with high-risk user populations, consider enforcing managed Chrome updates via Google Admin Console or equivalent MDM tooling to minimize exposure window.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy