Skip to main content

Google Chrome EUVDEUVD-2026-34698

| CVE-2026-11237 HIGH
Improper Input Validation (CWE-20)
2026-06-04 chrome-cve-admin@google.com GHSA-p2fc-jrv5-w4xq
High
Disputed · 8.3 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
3.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 13:23 vuln.today
CVSS changed
Jun 05, 2026 - 13:22 NVD
8.3 (HIGH)
CVE Published
Jun 04, 2026 - 23:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 04, 2026 - 23:17 nvd
HIGH 8.3

DescriptionCVE.org

Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to deceive users via a crafted HTML page through insufficient input validation in the Media component. The flaw carries a CVSS of 8.3 due to scope change and high impact ratings, though Chromium internally rates the severity as Low, and no public exploit identified at time of analysis. Exploitation requires a pre-existing renderer compromise and user interaction, narrowing realistic risk despite the elevated CVSS.

Technical ContextAI

The vulnerability resides in Chrome's Media subsystem, which handles parsing and rendering of audio/video content embedded in HTML pages. Rooted in CWE-20 (Improper Input Validation), the bug stems from the Media component accepting untrusted input without sufficient sanitization, enabling rendering behavior that can be manipulated to spoof UI elements such as origin indicators, dialogs, or media overlays. Because Chrome's renderer process is sandboxed, this issue is positioned as a post-compromise primitive that an attacker would chain with a separate renderer RCE to escalate the user-visible deception beyond what the sandbox normally permits.

RemediationAI

Upgrade to Google Chrome 149.0.7827.53 or later via the Stable channel update documented at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html (Vendor-released patch: 149.0.7827.53); enterprise deployments should force a browser relaunch through policy to ensure the patched binary is loaded rather than relying on user-initiated restarts. For Chromium-derivative browsers, monitor the respective vendor channels and apply rebased builds as they ship. As a compensating control prior to patching, restrict installation of untrusted extensions and block known malicious media-hosting domains at the proxy or DNS layer to reduce exposure to crafted HTML pages, accepting the trade-off that legitimate media sites may be impacted; tracking issue details are available at https://issues.chromium.org/issues/496617698.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-34698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy