Skip to main content

Google Chrome EUVDEUVD-2026-34749

| CVE-2026-11288 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-05 chrome-cve-admin@google.com GHSA-2g9m-m94r-h996
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:59 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 6.5
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 arises from insufficient policy enforcement in the CSS subsystem, allowing unauthenticated remote attackers to read data across origin boundaries by directing a user to a crafted HTML page. The CVSS vector scores high confidentiality impact (C:H) with no privileges required (PR:N), though mandatory user interaction (UI:R) is a prerequisite. No public exploit has been identified at time of analysis, EPSS probability is very low at 0.03% (11th percentile), and Chromium's own internal severity rating is 'Low' - all signals consistent with limited real-world exploitation risk despite the elevated CVSS confidentiality impact.

Technical ContextAI

The vulnerability is rooted in CWE-693 (Protection Mechanism Failure), meaning Chrome's CSS engine fails to properly enforce isolation or same-origin policy controls that should prevent one origin from reading data belonging to another. CSS-based cross-origin attacks commonly abuse rendering side effects, timing channels, or features such as @import rules, CSS custom properties, or font/resource loading behavior to infer or directly extract cross-origin content. The affected product is Google Chrome for desktop (Windows, macOS, Linux), versions below 149.0.7827.53, as confirmed by the EUVD CPE range 'Chrome <149.0.7827.53'. The Chromium bug tracker reference (issues.chromium.org/issues/502231588) likely contains additional technical detail but may be access-restricted per Google's standard disclosure policy.

RemediationAI

Update Google Chrome to version 149.0.7827.53 or later using the browser's built-in update mechanism (Menu > Help > About Google Chrome) or via enterprise deployment tools such as Google Admin Console for managed fleets. The vendor-released patch is documented at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. As a compensating control pending update in environments where browser updates require staged rollouts, restricting users to trusted web destinations via proxy allowlists or browser isolation platforms reduces exposure to attacker-crafted pages, though this imposes usability trade-offs. Enforcing strict Content Security Policy headers on internally managed web properties does not mitigate the vulnerability in Chrome itself but limits the attacker's ability to host the crafted payload on controlled infrastructure.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy