CVE-2026-11038: Chrome Subresource Integrity Bypass – CVSS 6.5 Medium
Google Chrome versions before 149.0.7827.53 contain a flaw in how Subresource Integrity (SRI) policies are enforced, allowing attackers to bypass Content Security Policy (CSP) protections through crafted network traffic. An attacker would need to trick a user into visiting a malicious webpage to exploit this vulnerability. The issue is classified as medium severity because it enables content injection attacks but does not directly compromise confidentiality or system availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Subresource Integrity in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via malicious network traffic. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11038 stems from insufficient policy enforcement in Chrome's Subresource Integrity implementation (CWE-20: Improper Input Validation). Subresource Integrity is a security feature that allows developers to ensure that fetched resources match a cryptographic hash. When SRI checks are not properly enforced, an attacker controlling network traffic or a malicious intermediary can serve tampered JavaScript or other resources that bypass the integrity verification. This defeats the purpose of CSP directives that rely on SRI to restrict script execution to approved sources. The vulnerability requires user interaction (visiting a compromised site) and operates in the network boundary without privilege escalation.
Business impact
Compromised integrity checking allows attackers to inject malicious scripts into web applications that rely on CSP and SRI for protection. Organizations whose users browse untrusted networks or whose web applications depend heavily on these defenses face increased risk of credential theft, session hijacking, or malware distribution. The practical impact depends on the security posture of visited websites and the sensitivity of data accessed through them.
Affected systems
The vulnerability affects Google Chrome prior to version 149.0.7827.53 on Windows, macOS, and Linux systems. The listing of Linux kernel and operating systems reflects Chrome's availability on these platforms, though the flaw is in Chrome itself, not the OS. Any user running an affected Chrome version is at risk when visiting untrusted or compromised websites.
Exploitability
Exploitation is relatively straightforward: an attacker hosting a malicious website or intercepting network traffic can serve code that violates SRI checks but bypasses Chrome's enforcement. The attack requires user interaction (visiting a link or site), making it suitable for phishing or drive-by attacks. No special privileges or system access are needed on the attacker side, and attack complexity is low. Public exploit code has not been confirmed to be in active use, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Users should update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically deploys patches within days; users can manually check for updates via Settings > About Chrome. Organizations should verify that auto-update policies are enabled and monitor deployment across their user base. For users unable to immediately patch, disabling untrusted extensions and avoiding unverified download links reduces exposure.
Patch guidance
Apply Chrome version 149.0.7827.53 or later. Most users with automatic updates enabled will receive this patch automatically. To manually verify the installed version, navigate to Settings > About Chrome, which will check for updates and display the current version. Enterprise administrators should consult Google's release notes and security advisories to validate patch deployment across managed endpoints. Verify the patch version number against Google's official Chrome release notes to ensure authenticity.
Detection guidance
Monitor Chrome version compliance across your environment using endpoint management tools or vulnerability scanners that query installed browser versions. Network security teams can observe anomalies in how browsers validate resource integrity by examining CSP headers and SRI hash mismatches in web traffic logs, though direct detection of the bypass itself in-transit is difficult without deep packet inspection. Application security teams should audit SRI and CSP configurations in web applications to ensure they are properly configured and relied upon for security controls.
Why prioritize this
This vulnerability merits prompt but not emergency patching. The CVSS score of 6.5 (Medium) reflects the requirement for user interaction and the integrity-focused nature of the impact (no confidentiality or availability loss). However, the ease of exploitation and the prevalence of Chrome as a target browser mean it should be addressed within the typical patch cycle (within 2–4 weeks). Organizations hosting sensitive web applications or serving users who frequently visit untrusted sites should prioritize this higher.
Risk score, explained
The CVSS 3.1 score of 6.5 is calculated as CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. Network attack vector (AV:N) and low complexity (AC:L) indicate easy exploitation. The requirement for user interaction (UI:R) prevents autonomous attacks. High integrity impact (I:H) reflects the ability to inject content, but no confidentiality or availability loss justifies the Medium severity rather than High. The unchanged scope (S:U) means the vulnerability does not affect other systems beyond the user's browser context.
Frequently asked questions
Can this vulnerability be exploited without a user clicking a link or visiting a website?
No. The attack requires a user to visit a malicious or compromised website or resource. Passive exploitation (e.g., through email alone) is not possible.
If I only visit trusted websites, am I still at risk?
Your risk is significantly lower but not zero. The vulnerability could be exploited if a trusted website is temporarily compromised or if an attacker intercepts traffic on an unencrypted network. Using HTTPS and keeping Chrome updated provides strong protection.
Will updating Chrome to 149.0.7827.53 automatically install, or do I need to do it manually?
Chrome typically auto-updates in the background. However, you can manually force a check by going to Settings > About Chrome. The exact timing depends on your update settings and OS restart frequency.
Does this vulnerability affect Chrome on mobile devices (Android/iOS)?
Chrome for Android uses Chromium engine and would be affected by the same flaw. iOS uses WebKit, not Chromium, so iOS Safari is not affected by this specific Chrome vulnerability. Verify your device's Chrome version and update as needed.
This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data. Patch version numbers and affected software versions are sourced from official vendor advisories and CVE records; verify against Google's official Chrome release notes and your organization's patch management system before deployment. CVSS scores reflect NIST standards and vendor assessments. This write-up does not constitute legal advice, product recommendation, or a guarantee of security if implemented. Organizations should conduct their own risk assessment and testing in controlled environments before applying patches to production systems. No exploit code or weaponized proof-of-concept details are provided herein. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls