CVE-2026-10011: Chrome Skia Cross-Origin Data Leak
A flaw in Chrome's Skia graphics library could allow an attacker who has already compromised Chrome's renderer process to extract sensitive data from websites you visit. The attacker would need to serve you a specially crafted web page to perform the attack. While the underlying issue received a High severity rating from Chromium, the overall exploitability is limited because it requires both renderer compromise and user interaction, making it a low-risk vulnerability in practical terms.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10011 is an information disclosure vulnerability in Skia, Chrome's graphics rendering engine. The flaw stems from improper implementation that fails to adequately isolate cross-origin data within the renderer process. An attacker with prior renderer process compromise can craft malicious HTML to leak sensitive information across origin boundaries. The vulnerability does not affect rendering logic integrity or cause denial of service; it is purely a confidentiality issue. The attack surface is limited to users who visit attacker-controlled pages while their renderer is already compromised.
Business impact
The practical business risk is modest. This vulnerability only becomes dangerous in a multi-stage attack chain where an attacker has already achieved renderer process compromise through other means—perhaps a separate Chrome vulnerability or supply-chain compromise. In those scenarios, the ability to extract cross-origin data could enhance reconnaissance or lead to credential theft if sensitive information is rendered on the page. For most organizations, this is a lower-priority fix compared to vulnerabilities that directly enable compromise. However, high-value targets and organizations already managing targeted threat activity should prioritize patching.
Affected systems
Google Chrome versions prior to 148.0.7778.216 are affected. This includes Windows, macOS, Linux, Android, and iOS installations. Any user running an earlier version is potentially at risk if they encounter a malicious page while the renderer is compromised. Enterprise deployments should verify their current Chrome version against the fixed version listed in vendor advisories to confirm exposure.
Exploitability
Exploitation requires a high bar to be reached. An attacker must first compromise the Chrome renderer process through a separate vulnerability or exploit—a non-trivial achievement in modern Chrome's sandbox. Only after achieving that foothold can they craft the HTML page to leak cross-origin data. User interaction is required (visiting the malicious page), further limiting opportunistic attacks. For this reason, despite Chromium's High severity designation of the underlying flaw, the CVSS score is LOW (3.1), reflecting real-world difficulty. This is not a vulnerability that attackers can easily chain into widespread compromise.
Remediation
Update Google Chrome to version 148.0.7778.216 or later. On most systems, Chrome checks for updates automatically and will prompt for restart. Enterprise administrators should verify patch deployment via their Chrome management console or mobile device management platform. No workarounds exist; patching is the only mitigation. Organizations should prioritize this update within their normal patch cycles, but it does not warrant emergency patching procedures.
Patch guidance
Google Chrome delivers patches automatically to most users. Verify the update by checking Chrome menu > Help > About Google Chrome, which will show the current version. If it displays 148.0.7778.216 or higher, the patch is applied. For enterprise Chrome deployments, use the Chrome management console to confirm rollout to all managed devices. Mobile users (iOS/Android) should update via their platform's app store. No manual binary compilation is required for end users.
Detection guidance
Monitor Chrome version numbers across your environment using endpoint detection tools or Chrome management APIs. Identify systems running versions prior to 148.0.7778.216. Look for any logs indicating renderer crashes or suspicious cross-origin data requests in user sessions if you suspect active exploitation, though such detection is difficult without instrumentation specifically designed for Skia memory access patterns. Network-based detection is ineffective since the vulnerability is purely memory-based and occurs post-compromise.
Why prioritize this
Assign this vulnerability medium-to-low priority in your patch queue. While Chromium designated it High severity from an engineering perspective (the flaw itself is legitimate), the CVSS score and attack prerequisites reflect that it requires prior renderer compromise to be exploitable. It does not grant initial access and does not cause outages. Focus patching efforts on vulnerabilities that enable remote code execution or direct compromise first. Include this in your regular Chrome patching cycle, typically on Chrome's four-week release schedule.
Risk score, explained
The CVSS 3.1 score of 3.1 (LOW) reflects the realistic attack chain. While confidentiality is impacted (C:L), the attack vector is network-based but requires high complexity due to the renderer sandbox (AC:H), no special privileges (PR:N), and mandatory user interaction (UI:R). The scope is unchanged and there is no integrity or availability impact. The score appropriately captures that this is a post-compromise information leak rather than a critical vulnerability enabling initial system entry.
Frequently asked questions
Do I need to apply this patch immediately?
No. This is a low-priority update that should be included in your regular Chrome patching cycle. There is no known active exploitation, and the attack requires the renderer to already be compromised. Patch within your normal update windows unless you operate in a high-threat environment with targeted attack activity.
What is the difference between Chromium's 'High' severity and the CVSS 'LOW' score?
Chromium's severity reflects the engineering severity of the flaw itself—an improper security boundary in Skia. The CVSS score reflects real-world exploitability, which is much lower because an attacker must already control the renderer process. Both assessments are correct; they measure different aspects.
Can this vulnerability allow remote code execution?
No. This is a pure information disclosure flaw. It does not allow an attacker to execute code, modify data, or cause a denial of service. It only permits reading data across origin boundaries if the renderer is already compromised.
Do I need to worry about this on mobile Chrome?
The vulnerability affects Chrome on all platforms—desktop and mobile. Apply the same patching practices: keep your apps updated via your platform's app store, and verify that you are on version 148.0.7778.216 or later.
This analysis is based on publicly available vulnerability data as of the publication date. SEC.co does not provide legal advice, and organizations should conduct their own risk assessments aligned with their threat models and compliance obligations. Patch version numbers and vendor advisories should be verified directly from Google's official Chrome security releases. This page does not constitute a recommendation for any specific action and should be reviewed in context of your environment and security policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-28511MEDIUMeLabFTW Information Disclosure – Title Exposure via Cross-Scope Search
- CVE-2026-36602MEDIUMMercusys AC12G Kernel Memory Disclosure via UPnP
- CVE-2026-36611HIGHMercusys AC12G Memory Disclosure Vulnerability