Skip to main content

Google Chrome EUVDEUVD-2026-34655

| CVE-2026-11194 MEDIUM
Origin Validation Error (CWE-346)
2026-06-04 chrome-cve-admin@google.com GHSA-vxcg-jvmf-23hg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 16:32 vuln.today
CVSS changed
Jun 05, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 23:17 nvd
MEDIUM 6.5
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in Google Chrome's Network implementation prior to version 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a victim to a crafted HTML page. Rooted in CWE-346 (Origin Validation Error), the flaw permits the Network component to expose data across origin boundaries that same-origin policy should protect. No public exploit code or active exploitation (CISA KEV) has been identified; EPSS of 0.03% (11th percentile) places real-world exploitation probability as very low at time of analysis.

Technical ContextAI

The vulnerability resides in Chrome's Network layer, classified under CWE-346 (Origin Validation Error), meaning the browser fails to properly enforce origin validation on network-level responses or requests. The same-origin policy is a cornerstone browser security boundary; when network-handling logic improperly validates or bypasses origin checks, attackers can craft HTML pages that coerce the browser into retrieving and exposing cross-origin resources. This is consistent with class-level bugs such as side-channel leaks, CORS policy mishandling, or improper response routing in fetch/XHR pipelines. The affected product is Google Chrome prior to 149.0.7827.53 across desktop platforms (Windows, macOS, Linux), as identified via the ENISA EUVD affected version range 'Chrome 149.0.7827.53 < 149.0.7827.53' and the Chromium stable channel advisory.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released patch per the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome typically auto-updates, but administrators should verify deployment via fleet management tools. For environments where immediate patching is not possible, a compensating control is to restrict access to untrusted or external web content through enterprise browser policies (e.g., blocking navigation to non-allowlisted domains), accepting the trade-off of reduced browsing functionality. User awareness training to avoid clicking unknown links reduces the UI:R trigger surface but is not a technical control. No workaround fully eliminates the vulnerability; patching to 149.0.7827.53 is the authoritative remediation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy