MEDIUM 6.1

CVE-2026-11122: Chrome UXSS Vulnerability in Keyboard Component—Patch Now

Google Chrome versions before 149.0.7827.53 contain a flaw in how the keyboard input handler processes certain HTML page elements. An attacker can craft a malicious webpage that, when visited by an unsuspecting user, injects arbitrary scripts or HTML content that executes in a security context where it shouldn't be allowed—a technique called Uniform Cross-Site Scripting (UXSS). This bypasses the browser's same-origin policy protections that normally prevent cross-domain attacks. The vulnerability requires user interaction (clicking or viewing the page) but affects all major platforms where Chrome runs.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-358
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11122 is a medium-severity UXSS vulnerability (CWE-358: Inappropriate Encoding or Escaping) in the Chrome Keyboard component. The root cause stems from improper validation or sanitization of HTML input during keyboard event processing. An attacker-controlled HTML page can exploit this to break out of the intended execution context and inject arbitrary scripts with access to sensitive data and DOM manipulation capabilities on other origins. The vulnerability is network-reachable, requires no special privileges, and triggers through user interaction with a crafted page. It affects Chrome on Windows, macOS, and Linux distributions.

Business impact

This vulnerability enables phishing and credential harvesting at scale. An attacker could inject fake login forms or authentication dialogs that capture user credentials, session tokens, or other sensitive information. Because the injected script operates with elevated privileges (across origins), attackers could also steal authentication cookies, CSRF tokens, or exfiltrate data from other open tabs. Organizations with users on older Chrome versions face data breach risk, particularly if employees access sensitive cloud services or internal web applications. The reputational and compliance costs (GDPR, HIPAA, SOC 2) could be significant if breaches occur.

Affected systems

Google Chrome prior to version 149.0.7827.53 is directly affected. Because Chrome is built into or deeply integrated with Chromium-based browsers and platforms, the vulnerability also touches Apple macOS, Linux kernel distributions, and Microsoft Windows systems—not because those OS kernels are flawed, but because Chrome runs on them and users on those platforms are exposed if they haven't patched. Any organization with Chrome users on Windows, macOS, or Linux should assess patch status across their fleet.

Exploitability

Exploitability is straightforward. An attacker needs only to host a malicious webpage and trick or socially engineer a user into visiting it—no advanced interaction required beyond a normal click or page load. No authentication, special network access, or system-level privileges are needed. The attack surface is very broad: phishing emails, compromised advertising networks, watering hole attacks on industry-specific sites, or drive-by downloads. Once a user visits the page, the UXSS payload executes immediately. This makes it attractive for mass-exploitation campaigns. However, the vulnerability is not yet tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no active exploitation in the wild has been widely documented as of the intelligence publication date.

Remediation

Update Chrome to version 149.0.7827.53 or later immediately. Chrome's auto-update mechanism typically rolls out patches within 24–48 hours of release, but manual verification is prudent for mission-critical systems. Users can verify their version in Chrome settings (Menu > About Google Chrome). Organizations should enforce patch policies via MDM/EMM solutions and monitor update compliance. For users unable to patch immediately, disable JavaScript execution in the browser (reduces functionality but removes execution vector), restrict access to untrusted websites, and enforce strict content security policies (CSP) via network or proxy controls to block inline script injection.

Patch guidance

Google released the fix in Chrome 149.0.7827.53 (published June 4, 2026). Verify the version number through official Google Chrome release notes and your organization's patch management system. For enterprise deployments, test the patch in a staging environment before wide rollout to ensure compatibility with internal web applications. Google typically maintains multiple update channels (Stable, Beta, Dev); ensure all channels and all devices (desktops, laptops, Chromebooks) are updated. If auto-update is disabled, manually trigger updates via Chrome menu or group policy (Windows) and configuration profiles (macOS).

Detection guidance

Monitor Chrome version compliance across your fleet using MDM tools, SIEM systems, or vulnerability scanners. Endpoint Detection and Response (EDR) solutions may flag suspicious DOM manipulation or cross-origin script injection attempts, though UXSS detection is often difficult post-execution. Network-level controls: inspect outbound HTTPS traffic for signs of exfiltrated credentials or unusual data flows. Web application firewalls (WAFs) and proxy logs can identify requests to malicious pages if URLs are known. Threat intelligence feeds may provide indicators of compromise (IoCs) if public exploits emerge. Behavioral analysis for unusual tab activity or unexpected popup/modal dialogs can hint at UXSS exploitation. Consider deploying browser isolation technologies or enhanced sandboxing in high-risk environments.

Why prioritize this

Although the CVSS score is moderate (6.1), the practical risk is elevated. UXSS is a high-impact attack class because it defeats the browser's core security model and enables credential theft and data exfiltration at scale. The attack is trivial to execute—a simple phishing email suffices. Chrome's ubiquity in enterprise and consumer environments means patch coverage affects millions of users. The lack of KEV designation suggests no mass exploitation yet, but this may reflect intelligence lag rather than low exploitation probability. Organizations should treat this as a high-priority patch for exposed systems, especially those handling sensitive data or credentials.

Risk score, explained

The CVSS 3.1 score of 6.1 (MEDIUM) reflects the network attack vector, low complexity, no privilege requirement, and user interaction trigger. However, the impact metrics (Low on Confidentiality and Integrity, None on Availability) understate the real-world severity of UXSS. The scoring penalizes the vulnerability because it requires user action (UI:R), but that action bar is extremely low—simply visiting a page. The Scope-Changed attribute (S:C) correctly captures that the vulnerability affects resources beyond the vulnerable component. Organizations should overlay business context: if your users regularly visit untrusted sites or interact with external web content, prioritize this patch as HIGH despite the MEDIUM CVSS rating.

Frequently asked questions

Will Chrome's sandbox prevent exploitation of this UXSS vulnerability?

Chrome's sandbox isolates each tab/process, but UXSS operates within the renderer context where JavaScript already executes. The sandbox prevents breakout to the OS, but does not prevent the injected script from stealing data within the browser (cookies, session tokens, DOM content from other origins). The sandbox is an additional defense layer, not a complete mitigation. Patching remains essential.

Do I need to patch if I use a Chromium-based browser like Edge or Brave?

Yes. If your browser is built on Chromium (Edge, Brave, Opera, Vivaldi, etc.), you are exposed to the same underlying keyboard component flaw. Each vendor maintains its own release cycle, so check your browser's version against Chromium 149.0.7827.53. Microsoft Edge and others will issue patches based on the same upstream fix; apply them as soon as available.

What is the difference between UXSS and regular XSS?

Traditional XSS (stored or reflected) is blocked by the same-origin policy—an attacker on site A cannot inject scripts that execute on site B. UXSS bypasses this boundary entirely, allowing an attacker-controlled page to inject scripts that execute as if they originated from any domain, defeating the same-origin policy. UXSS is significantly more dangerous because it can steal credentials and data across all open browser tabs.

If I block JavaScript, am I safe from this vulnerability?

Yes, disabling JavaScript prevents script execution entirely and eliminates this attack vector. However, this severely breaks modern web functionality. A better short-term approach is to restrict access to untrusted sites, enforce strict CSP policies, and deploy network-level controls while awaiting patch deployment.

This analysis is provided for informational purposes only and reflects publicly available information as of June 2026. While we strive for accuracy, SEC.co makes no warranties regarding the completeness or timeliness of this intelligence. Security decisions should always be validated against official vendor advisories and your organization's threat model. Patch version numbers and release dates must be verified against Google's official Chrome release notes. No exploit code or proof-of-concept is provided or endorsed. Organizations should test patches in non-production environments before deployment. This vulnerability analysis does not constitute legal, compliance, or security advice; consult your security team and legal counsel for remediation decisions. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).