CVE-2026-11027: Chrome Glic Input Validation Flaw Enables Cross-Origin Data Leakage
A vulnerability in Google Chrome's Glic component fails to properly validate untrusted input, allowing an attacker who has already compromised Chrome's renderer process to extract sensitive data across website boundaries using a specially crafted webpage. The attacker needs initial renderer process compromise but then gains the ability to read data from sites the user visits, bypassing normal browser security boundaries.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Glic in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11027 is an insufficient input validation flaw (CWE-20) in Glic affecting Chrome versions prior to 149.0.7827.53. The vulnerability allows cross-origin data leakage when a remote attacker controls a crafted HTML page and has already compromised the Chrome renderer process. The attack surface is network-based with low complexity; user interaction (clicking or viewing the malicious page) is required. The vulnerability is confined to confidentiality impact with no integrity or availability effects.
Business impact
This vulnerability poses a targeted data exfiltration risk for organizations where employee browsers may be compromised or where sophisticated social engineering delivers malicious content. The requirement for prior renderer compromise limits opportunistic exploitation but represents a real escalation path in multi-stage attacks. Industries handling sensitive per-user data (finance, healthcare, government) face elevated risk if browser compromise occurs alongside this flaw.
Affected systems
Google Chrome prior to version 149.0.7827.53 is directly affected. While the source lists macOS, Linux kernel, and Windows as vendor_products, these appear to be platform listings rather than distinct vulnerability vectors—the flaw resides in Chrome's Glic component regardless of operating system. Verify Chrome version and apply the patch across all supported platforms.
Exploitability
Exploitation requires two preconditions: first, the attacker must already control the Chrome renderer process (a separate compromise), and second, the user must interact with a crafted HTML page. This two-stage requirement significantly reduces widespread opportunistic exploitation risk. However, in targeted scenarios—such as supply-chain compromise or persistent threat campaigns—combining renderer compromise with this input validation flaw becomes practical. The attack is not known to be actively exploited in the wild (KEV status: No).
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. This patch addresses the input validation flaw in Glic. No workarounds short of disabling Glic or running Chrome in a restricted sandbox are available. Organizations should prioritize patching in environments where renderer compromise is a credible threat model.
Patch guidance
Deploy Chrome version 149.0.7827.53 or newer across your organization using your standard browser deployment tools (Google Update, MDM, package managers). Verify successful patch application by checking chrome://version in the address bar. If you manage Chrome policy via Google Admin Console or enterprise policies, ensure autoupdate is enabled and monitor rollout completion. Consider staged rollout if you have mission-critical workflows requiring pre-patch validation.
Detection guidance
Monitor Chrome version inventory to identify instances below 149.0.7827.53. Look for unusual JavaScript console errors or cross-origin data access patterns that correlate with users visiting external websites. Renderer process crashes or unexpected memory spikes may indicate exploit attempts. In forensic analysis of suspected compromise, check for crafted HTML files in browsing history or cached files that correlate with timing of data exfiltration events. Security event correlation with renderer process compromise indicators (e.g., from EDR tools) should trigger elevated alerting.
Why prioritize this
Although this vulnerability requires prior renderer process compromise, making it a secondary exploit in attack chains rather than a primary vector, the confidentiality impact (cross-origin data leakage) in a browser context warrants prompt patching. The combination of network attack surface, user interaction requirement, and medium CVSS score (6.5) places it in the 'urgent but not critical' tier. Organizations with high-risk browser populations should patch within 1–2 weeks; others within 4 weeks.
Risk score, explained
CVSS 6.5 (Medium) reflects high confidentiality impact balanced against the prerequisite of renderer compromise and required user interaction. The attack vector is network-based and complexity is low once the preconditions are met. The severity aligns with Chromium's own Medium classification. No integrity or availability impact is present. For most organizations, this is a medium-priority patch; for those with advanced threat models incorporating persistent renderer compromise, it merits higher priority.
Frequently asked questions
Do I need to have already been hacked for this vulnerability to affect me?
Not necessarily. This vulnerability becomes exploitable if your Chrome renderer process is compromised—which could happen through a separate browser exploit, malicious extension, or supply-chain compromise. Once that happens, an attacker can use this flaw to steal data from websites you visit. It's a secondary exploit, not a entry point, but every organization should assume renderer compromise is possible in targeted attacks.
What data can an attacker actually steal?
An attacker can leak cross-origin data—meaning they can read information from websites other than the attacker's malicious page. This could include login tokens, personal information, or sensitive content on pages the user is viewing. The exact data depends on what the browser has access to at that moment and what the target websites store in accessible memory.
Is this vulnerability already being exploited in real attacks?
No. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no known active exploitation in the wild as of the current date. However, this does not guarantee future safety—attackers may develop exploits once patches are available, so prompt patching is still essential.
Do I need to patch all operating systems equally?
Chrome's Glic vulnerability exists in the browser application itself, not the underlying OS. Patch Chrome on Windows, macOS, and Linux systems simultaneously and with equal priority. Operating system security updates should continue on their own schedule but are separate from this Chrome patch.
This analysis is provided for informational purposes and reflects the state of publicly available information as of the publication date. CVSS scores, affected versions, and patch details are derived from official vendor advisories and should be verified against Google's Chrome release notes and security advisories before implementation. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific environment, threat model, and regulatory requirements. SEC.co makes no warranties regarding the completeness or accuracy of this intelligence. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls