Skip to main content

Google Chrome EUVD-2026-35212

| CVE-2026-11686 LOW
Improper Input Validation (CWE-20)
2026-06-09 chrome-cve-admin@google.com GHSA-mfw4-fc92-pwx6
Apple Information Disclosure Google
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 02:57 vuln.today
CVSS changed
Jun 09, 2026 - 02:22 NVD
3.1 (LOW)
CVE Published
Jun 09, 2026 - 00:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in Dawn in Google Chrome on macOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Cross-origin data leak in Chrome's Dawn (WebGPU) component on macOS affects all versions prior to 149.0.7827.103, allowing a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data via a crafted HTML page. CVSS score of 3.1 (Low) accurately reflects the constrained impact: confidentiality loss only (C:L), no integrity or availability impact, and a hard prerequisite of prior renderer compromise that makes standalone exploitation impossible. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exploit separate renderer RCE vulnerability
Delivery
Gain renderer process code execution on macOS Chrome
Exploit
Deliver crafted HTML page to victim
Execution
Trigger Dawn input validation flaw
Impact
Leak cross-origin data to attacker-controlled context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation has two explicit hard prerequisites derived directly from the CVE description and CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Multiple converging signals place this vulnerability at the low end of real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already achieved renderer-level code execution in Chrome on macOS - through a separate, more severe exploit such as a renderer RCE vulnerability - serves a specially crafted HTML page to the victim. The crafted page triggers the Dawn input validation flaw, causing the compromised renderer to leak data from a cross-origin context (such as a banking portal or authenticated session) back to the attacker-controlled renderer. …
Remediation Update Google Chrome on macOS to version 149.0.7827.103 or later using the vendor-released patch documented in the stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35212 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy