Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Side-channel information leakage in the Paint component of Google Chrome prior to 149.0.7827.53 enables cross-origin data theft via a crafted HTML page requiring only victim interaction. The CVSS 6.5 rating reflects high confidentiality impact with no attacker privileges required, but real-world risk is tempered by mandatory user interaction, Chromium's own 'Low' severity classification, and an EPSS exploitation probability of just 0.03% (11th percentile). No public exploit has been identified at time of analysis, and a vendor-released patch is available in Chrome 149.0.7827.53.
Technical ContextAI
CWE-1300 (Improper Protection of Physical Side Channels) in this context describes a software-level side-channel within Chrome's Paint rendering subsystem, which handles pixel compositing and visual output. The flaw allows a crafted HTML page to observe differences in rendering timing, state, or pixel data in ways that correlate with content loaded from a different origin - violating the browser's Same-Origin Policy. This class of vulnerability typically exploits measurable differences in how the rendering engine processes cross-origin resources (e.g., cached vs. uncached images, composited layers). Affected products per EUVD EUVD-2026-34750: Google Chrome desktop versions prior to 149.0.7827.53.
RemediationAI
Update Google Chrome to version 149.0.7827.53 or later - this is the vendor-released patch confirmed in the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's automatic update mechanism will handle this for most consumer installations. Enterprise administrators should push the update via Chrome Browser Cloud Management or Group Policy Object (GPO) and verify deployment with chrome://policy. If immediate patching is blocked by change-freeze policies, a compensating control is to enforce navigation restrictions via proxy or DNS filtering to prevent users from reaching untrusted external HTML content - this has significant usability costs and does not address attacks delivered via compromised trusted sites or ads. Disabling JavaScript entirely would also block the attack vector but renders most web applications non-functional.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34750
GHSA-pgjw-xwmc-8p56