MEDIUM 6.5

CVE-2026-11101: Chrome Windows Cross-Origin Data Leak (CVSS 6.5)

A vulnerability in Google Chrome's Dawn graphics library allows attackers to steal sensitive data from other websites when a user visits a malicious web page. The flaw stems from uninitialized memory being used improperly, potentially exposing information the attacker shouldn't be able to access. Chrome versions before 149.0.7827.53 on Windows are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-457
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Uninitialized Use in Dawn in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11101 is an uninitialized use vulnerability (CWE-457) in the Dawn graphics component of Chromium. The flaw occurs when memory that hasn't been properly initialized is used in a way that allows cross-origin data disclosure. An attacker crafting a malicious HTML page can trigger this condition to read sensitive data from other origins without proper authorization. The vulnerability requires user interaction (visiting the crafted page) but no elevated privileges, making it practical for web-based attacks. Chromium's internal severity assessment is Medium.

Business impact

This vulnerability poses a meaningful confidentiality risk to your organization's users. Employees browsing the web—especially those accessing sensitive cloud applications or internal web portals—could have their session data, authentication tokens, or other confidential information leaked to an attacker's controlled website. The attack surface is broad because it relies only on social engineering or malicious advertising to direct users to a crafted page. Data leakage incidents can trigger compliance obligations and erode customer trust.

Affected systems

Google Chrome running on Windows systems prior to version 149.0.7827.53 is vulnerable. This includes Windows 7, 8, 10, and 11 installations. The Dawn graphics library is embedded in all consumer and enterprise versions of Chrome on Windows. Note that Chrome on other operating systems (macOS, Linux, Android) may have separate patching timelines or may not be affected by this specific vulnerability—verify with Google's official advisory for complete platform coverage.

Exploitability

The vulnerability requires minimal attacker effort and low complexity. The primary barrier is user interaction: the victim must click a link or navigate to a malicious website. No authentication, special network access, or system compromise is required. Once a user lands on the crafted page, the attack executes automatically. The confidentiality impact is high (cross-origin data leakage), but there is no integrity or availability impact. Given the simplicity of delivery via phishing, watering holes, or malicious ads, this should be treated as a realistic threat.

Remediation

Update Google Chrome to version 149.0.7827.53 or later on all Windows systems. Chrome's auto-update mechanism should deploy the patch automatically for most users, but verify completion in your environment, particularly for managed deployments or offline systems. Organizations using Chrome Enterprise may need to manage updates through device policy. No workarounds exist; patching is the only mitigation.

Patch guidance

Prioritize deployment of Chrome 149.0.7827.53 or later across your Windows fleet. For large organizations, use Chrome Enterprise policies (via Google Admin Console or third-party MDM solutions) to enforce automatic updates or staged rollouts. Validate patch deployment by checking chrome://version in a sample of client machines. For unmanaged personal devices, ensure users are aware that Chrome will update automatically, but they should not ignore update prompts. Test any critical web applications after patching to rule out compatibility issues, though graphics library patches typically have low regression risk.

Detection guidance

Detection of this vulnerability in the wild is challenging without endpoint telemetry. Consider monitoring for suspicious HTML files or phishing campaigns that may be crafted to exploit this issue. Web application firewalls and email security tools may flag unusually complex or obfuscated HTML payloads. If possible, enable Chrome security event logging in your organization and look for anomalous memory access patterns or cross-origin data flows. Most importantly, track Chrome version compliance across your managed devices to ensure vulnerable versions are not in use. User reports of unexpected data exposure or account compromise should trigger investigation.

Why prioritize this

Although CVE-2026-11101 carries a CVSS score of 6.5 (Medium) and has not been added to CISA's KEV catalog, its practical exploitability and real-world attack surface warrant near-term patching. Cross-origin data leakage can directly compromise user accounts and sensitive information. The low barrier to exploitation (user must click a link) and the ubiquity of Chrome on Windows make this a credible threat. Organizations should prioritize this patch within their next 1–2 weeks, especially if employees regularly access cloud services or sensitive web applications.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a network-exploitable vulnerability (AV:N) with no attack complexity (AC:L), no privilege requirement (PR:N), but requiring user interaction (UI:R). The impact is limited to confidentiality (C:H), with no integrity or availability impact. This score accurately captures the threat: meaningful but not critical. The absence of KEV status indicates that CISA has not yet observed active exploitation at scale, but this is not a guarantee of non-exploitation and should not delay patching.

Frequently asked questions

Will Chrome auto-update protect my systems automatically?

Chrome's auto-update mechanism will eventually deploy version 149.0.7827.53, but the timing depends on user activity and update policies. Enterprise administrators should verify patch deployment rather than relying on automatic updates alone. Organizations can accelerate patching via device policies or MDM solutions.

Does this vulnerability affect Chrome on macOS or Linux?

The description specifically references Chrome on Windows. Cross-origin data leakage issues may exist in other platforms, but this CVE's scope is Windows. Consult Google's official advisory and release notes to confirm patching requirements for other operating systems.

Can a user accidentally trigger this vulnerability by visiting a normal website?

No. The vulnerability requires a specially crafted HTML page designed to exploit the flaw. Normal websites will not trigger it. However, attackers can serve the malicious HTML through phishing, watering holes, malicious ads, or other social engineering techniques.

What should I do if I suspect a user was compromised via this vulnerability?

Advise affected users to change passwords for sensitive accounts (email, cloud services, banking) immediately. Review account access logs and session history for unauthorized activity. Consider enabling multi-factor authentication if not already in place. Contact your security team and consider resetting authentication tokens for accounts accessed during the suspect timeframe.

This analysis is based on the official CVE description and Chromium security advisory. Readers should verify all patch versions, affected product versions, and platform coverage against Google's official release notes and security advisory before deploying patches. SEC.co does not guarantee the completeness or accuracy of third-party vulnerability data and recommends cross-referencing with vendor advisories. Organizations should conduct internal testing before rolling out patches to production systems. This explainer does not constitute legal advice or compliance guidance; consult your legal and compliance teams regarding breach notification or data protection obligations. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).