MEDIUM 6.5

CVE-2026-11036: Chrome Same-Origin Policy Bypass via DOM Implementation Flaw

Google Chrome versions before 149.0.7827.53 contain a DOM implementation flaw that allows attackers to circumvent the same-origin policy—a fundamental browser security boundary. An attacker could craft a malicious HTML page that, when visited, tricks the browser into allowing cross-origin requests or data access that should normally be blocked. This requires user interaction (clicking a link, visiting a site) but does not require any special privileges. While the attack does not expose sensitive data directly, it enables unauthorized modification of web content or session state, potentially leading to account compromise or malware injection.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-346
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in DOM in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11036 stems from an inappropriate DOM implementation in Chrome's renderer process. The vulnerability maps to CWE-346 (Origin Validation Error), indicating a failure in the same-origin policy enforcement mechanism. The CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible attack requiring user interaction, with no confidentiality impact but high integrity impact and no availability impact. The vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms low attack complexity and no privileges needed—attackers need only convince a user to visit a crafted page. Chromium assigned this a Medium security severity.

Business impact

Organizations relying on Chrome for web application access face integrity risks. Attackers exploiting this flaw could modify application data, inject unauthorized script, or redirect user sessions without triggering the browser's typical CORS/same-origin protections. While not a direct data breach vector, successful exploitation could lead to credential theft, malware distribution, or unauthorized state changes in critical web applications. The requirement for user interaction reduces immediate automated attack surface, but social engineering (phishing, malicious ads) remains an effective delivery mechanism.

Affected systems

Google Chrome is the primary affected product on Windows, macOS, and Linux. Users running any version prior to 149.0.7827.53 are vulnerable. Secondary OS-level vendors (Apple macOS, Linux kernel, Microsoft Windows) are listed in the advisory, likely because Chrome distribution or certain integrations depend on them, but the core vulnerability is in Chrome itself. Organizations should focus patching efforts on Chrome across all platforms.

Exploitability

Exploitability is moderate to high in realistic scenarios. The attack requires a user to visit a crafted page, making it dependent on social engineering or drive-by download tactics. Attack complexity is low—no special browser configurations, plugins, or user setup is required. However, this is not an unauthenticated remote code execution vulnerability; it does not appear on the CISA KEV catalog, suggesting no active widespread exploitation has been publicly documented at the time of assessment. The vulnerability is not trivial to exploit—attackers must understand DOM and same-origin policy implementation details—but is within reach of motivated threat actors.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all systems. Chrome's auto-update mechanism typically handles this, but verify that auto-update is enabled and functioning. For managed environments, deploy the update via your organization's endpoint management or software distribution tool. Confirm completion by checking Chrome's version string (Menu → Help → About Google Chrome). No workarounds are available; patching is the only remediation.

Patch guidance

Verify your Chrome version by navigating to chrome://version or checking Menu → Help → About Google Chrome. If the version is 149.0.7827.53 or higher, you are protected. If auto-update is disabled, manually trigger an update or re-enable auto-update in Chrome settings. For enterprise deployments, use your MDM/policy tool to enforce the minimum version requirement. Test patch deployment in a pilot group before rolling out organization-wide to ensure compatibility with critical web applications.

Detection guidance

Monitor for unusual DOM-based cross-origin requests or unexpected same-origin policy bypasses in web application logs and browser network traces. Endpoint detection and response (EDR) tools may flag anomalous child process behavior if attackers chain this vulnerability with other exploits. Web application firewalls (WAF) can detect suspicious patterns in crafted HTML payloads attempting origin spoofing or policy confusion. Track Chrome version adoption metrics to ensure vulnerable installations are not present in your environment. No specific malware signature or network-level indicator is typically associated with exploitation attempts.

Why prioritize this

While this is a Medium-severity issue, it directly undermines web security boundaries that protect sensitive application data and user sessions. Organizations with high-value web applications, SSO systems, or sensitive cloud services should prioritize patching within 1–2 weeks. The low attack complexity and user-interaction requirement suggest phishing and social engineering campaigns could weaponize this quickly if attackers coordinate with infrastructure compromises or credential harvesting. Delayed patching increases risk exposure in environments where users regularly access untrusted content.

Risk score, explained

The CVSS 6.5 (Medium) score reflects the balance between ease of attack delivery (network, low complexity, user interaction) and moderate impact (integrity compromised, no data exposure, no system unavailability). The vulnerability does not grant remote code execution or data exfiltration directly, which would elevate it to High or Critical. However, the integrity impact is significant because successful exploitation enables unauthorized state modification and potential session hijacking in web applications. The lack of KEV catalog inclusion indicates no evidence of active, widespread exploitation, which would otherwise justify higher urgency.

Frequently asked questions

Can this vulnerability steal my passwords or files?

No. CVE-2026-11036 does not enable data confidentiality attacks or file exfiltration. However, it can allow unauthorized modification of web pages or sessions, which could indirectly lead to phishing, malware injection, or account compromise if exploited against web applications. Your data is not directly exposed by this vulnerability, but your session integrity is at risk.

Do I need to do anything if auto-update is turned on?

Likely not. Chrome's auto-update mechanism should deploy version 149.0.7827.53 automatically. However, you should verify your current version (Menu → Help → About Google Chrome) to confirm you are fully patched. Restart Chrome if prompted after an update to ensure the patch is active.

Is this vulnerability being exploited in the wild?

As of the published date, this vulnerability does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation or active campaigns. However, you should still prioritize patching, as the low attack complexity and social engineering pathways could enable exploitation if threat actors develop proof-of-concept code.

Does this affect Chrome on mobile devices?

Chrome on Android and iOS relies on the same underlying Chromium security model. Verify your mobile Chrome version and ensure auto-update is enabled. Mobile users should apply updates as soon as available through their device's app store.

This analysis is based on publicly available vulnerability data current as of the advisory publication date. For the most up-to-date patch information, version numbers, and affected product lists, consult the official Google Chrome Security & Privacy blog and Chromium security advisories. SEC.co makes no warranty regarding the completeness or accuracy of exploitation timelines or threat actor activity claims. Implement patches in alignment with your organization's change management and testing procedures. Contact your vendor or security team for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).