Skip to main content

Google Chrome EUVDEUVD-2026-34753

| CVE-2026-11292 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-05 chrome-cve-admin@google.com GHSA-hf37-2h38-4573
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 21:01 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 4.3
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Content Security Policy bypass in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.53) enables unauthenticated remote attackers to circumvent CSP directives by delivering a crafted HTML page that requires only a user visit to trigger. The impact is confined to low-severity integrity violations (CVSS I:L) with no confidentiality or availability consequences, consistent with Chromium's own Low severity rating. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects negligible near-term exploitation probability.

Technical ContextAI

Blink is the HTML rendering engine embedded in all Chromium-based browsers, responsible for parsing web content and enforcing browser security primitives including Content Security Policy. CSP is a declarative security mechanism that instructs the browser to restrict which resources (scripts, styles, frames, etc.) a page may load or execute, serving as a key mitigation against cross-site scripting and data injection. CWE-693 (Protection Mechanism Failure) identifies the root cause as a failure to correctly enforce an existing security control rather than an absence of one - the CSP logic is present in Blink but can be bypassed through insufficient enforcement in a specific code path. The affected component is the Blink engine within Google Chrome versions prior to 149.0.7827.53, as confirmed by EUVD affected version data. The Chromium issue tracker entry at https://issues.chromium.org/issues/502358901 is the upstream tracking reference, though the technical specifics of the enforcement gap are not detailed in available public data.

RemediationAI

Upgrade Google Chrome to version 149.0.7827.53 or later, as confirmed by the vendor's stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's automatic update mechanism will deliver this version to most end-user installations without manual intervention; enterprise administrators managing browser deployment via policy (e.g., Google Admin Console or ADMX templates) should verify update propagation and confirm version compliance. As a compensating control before patching can be verified across a managed fleet, organizations relying on CSP for high-assurance protections against XSS in critical internal web applications should consider temporarily enforcing web proxy allowlisting to restrict navigation to untrusted external origins. Note that network-layer controls do not address the Blink enforcement flaw itself and carry the trade-off of reduced user browsing capability; they are not a substitute for the vendor patch.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy