MEDIUM 6.5

CVE-2026-11121: Skia Input Validation Flaw in Google Chrome 149 – Cross-Origin Data Leakage

CVE-2026-11121 is a medium-severity vulnerability in Skia, the graphics rendering engine used by Google Chrome. The flaw involves improper validation of untrusted input that could allow an attacker who has already compromised the browser's renderer process to extract sensitive data across origin boundaries using a specially crafted web page. This is not an initial entry point into systems, but rather a post-compromise escalation vector that broadens the damage an attacker can do once inside the browser process.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Skia's input validation routines, classified under CWE-20 (Improper Input Validation). An attacker who controls the compromised renderer process can craft HTML that bypasses origin isolation protections, enabling exfiltration of cross-origin data. The attack requires an active browser session with user interaction (UI required per the CVSS vector), and affects Chrome versions prior to 149.0.7827.53. While the underlying OS (Windows, macOS, Linux) is not the direct vulnerability source, they are affected because Chrome runs on these platforms.

Business impact

For most organizations, the practical risk depends on whether their users encounter prior renderer process compromises. However, the vulnerability's significance lies in data exfiltration: once an attacker gains initial access to the renderer process (via malware, watering-hole attacks, or other exploits), this flaw allows them to pivot laterally across origin boundaries, potentially accessing authentication tokens, session data, or sensitive information from other web properties the user has open. This undermines the browser's fundamental security model and could facilitate credential theft, unauthorized API access, or privacy breaches.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are directly vulnerable. The vulnerability is platform-agnostic, affecting Chrome on Windows, macOS, and Linux. Chromium-based browsers that incorporate Skia rendering from affected versions may also be at risk; organizations should verify their specific Chromium derivative versions against official vendor advisories.

Exploitability

Exploitation requires two prerequisites: an attacker must first compromise the renderer process (separate attack, not addressed by this CVE), and then the target user must interact with a crafted web page served by the attacker. The CVSS vector indicates network accessibility and low attack complexity, but the requirement for prior renderer compromise and user interaction limits real-world exploitability compared to zero-click flaws. CVSS 6.5 reflects confidentiality impact (data leakage) without integrity or availability impact. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting limited public weaponization to date.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Users on Windows, macOS, and Linux should enable automatic updates or manually verify they are running a patched version. Organizations managing Chromium forks or derivatives must obtain vendor updates that incorporate the upstream Skia fix and rebuild affected binaries.

Patch guidance

Google Chrome updates are typically delivered automatically; verify via Settings > About Chrome that your version is 149.0.7827.53 or higher. For managed environments, use your organization's Chrome management policies or deployment tools to ensure rapid rollout. Chromium-based browser vendors (Microsoft Edge, Brave, Opera, etc.) should release their own updates incorporating this Skia patch; verify with your specific vendor. There is no workaround; patching is the only mitigation.

Detection guidance

Monitor Chrome update status across your environment to identify lagging patches. Endpoint detection tools can flag Chrome versions below 149.0.7827.53 as non-compliant. Behavioral detection of cross-origin data exfiltration post-compromise is difficult without network segmentation or data loss prevention tools. Focus on ensuring timely patch deployment rather than post-exploitation detection, since the vulnerability requires prior renderer compromise that should itself trigger security alerts.

Why prioritize this

While rated CVSS 6.5 (medium), this vulnerability merits prompt patching because it extends the reach of renderer-process compromises—a common attack scenario. In environments with heavy web browsing (especially SaaS and cloud services), cross-origin data leakage could expose high-value credentials and session tokens. However, organizations free from renderer-process malware (e.g., through robust endpoint protection) face lower immediate risk. Prioritize organizations with known malware or vulnerability exposure in their browser attack surface.

Risk score, explained

The CVSS 6.5 score reflects high confidentiality impact (C:H) offset by the requirement for prior compromise (lowering practical exploitability) and user interaction (UI:R). The vector AV:N/AC:L/PR:N/UI:R/S:U indicates the attack surface is network-reachable with low complexity, but no privilege escalation or scope change occurs—the flaw operates entirely within the user's browser context. The score appropriately captures the post-compromise escalation nature: serious for organizations with active malware, less critical for well-protected environments.

Frequently asked questions

Do I need to patch if I don't use Google Chrome?

No, this vulnerability is specific to Chrome's use of Skia. However, other Chromium-based browsers (Edge, Brave, Opera) may be affected depending on their Skia version. Check with your browser vendor's security advisories.

What data can an attacker actually steal with this flaw?

Any data visible to the compromised renderer process and accessible via cross-origin requests—typically session cookies, authentication tokens, cached credentials, and data from open web pages. The severity depends on what sensitive services the user has active in other browser tabs.

Does this vulnerability let an attacker get into my computer from scratch?

No. This is a post-compromise flaw that requires the attacker to already control Chrome's renderer process. It amplifies the damage of other exploits but does not serve as an initial entry point.

What is the difference between this and other Chrome security updates?

Many Chrome updates patch flaws that enable initial renderer compromise (the first foothold). This one assumes that first compromise has happened and prevents the attacker from jumping between origins—a second line of defense.

This analysis is provided for informational purposes and reflects the state of publicly disclosed information as of the publication date. Vulnerability details and patch availability may evolve; consult official vendor advisories (particularly Google's Chrome security release notes) for authoritative guidance. Organizations should verify all patch version numbers and compatibility against their specific environments before deployment. This page does not constitute legal or compliance advice; security teams should align patch timelines with their organization's risk management and change control policies. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).