MEDIUM 6.5

CVE-2026-11139: Chrome Cross-Origin Data Leak in Paint Implementation

A flaw in Google Chrome's Paint implementation allows attackers to steal sensitive information from one website and expose it to another. An attacker can craft a specially designed web page that, when visited by a user, exploits this vulnerability to read data across security boundaries that browsers normally enforce. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction—the victim must visit the malicious page—but does not require special permissions or system access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-352
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11139 stems from an inappropriate implementation in Chrome's Paint subsystem that fails to properly isolate cross-origin data. The vulnerability maps to CWE-352 (Cross-Site Request Forgery), indicating a failure to enforce proper origin-based access controls. The attack vector is network-based with low attack complexity; successful exploitation requires only user interaction via a crafted HTML page. The vulnerability has a CVSS v3.1 score of 6.5 (Medium severity) with a confidentiality impact of High, meaning sensitive user data could be exposed, while integrity and availability remain unaffected. Chromium's internal security assessment also classified this as Medium severity.

Business impact

A successful attack exposes users to cross-origin data exfiltration, potentially compromising authentication credentials, session tokens, personal information stored in web applications, or sensitive business data accessed through the browser. While the impact is confined to confidentiality (no system takeover or data modification), the ease of delivery via a simple HTML page makes this a practical risk for users visiting untrusted or compromised websites. Organizations should consider whether their security posture accounts for browser-based data leakage and whether users have adequate awareness of suspicious web content.

Affected systems

This vulnerability affects Google Chrome versions prior to 149.0.7827.53. Because Chrome is distributed across Windows, macOS, and Linux systems, all users of vulnerable Chrome versions on any of these operating systems are at risk. The vulnerability itself is in the Chrome browser; underlying OS kernel or vendor-specific code is not the root cause, though all mentioned platforms are affected by virtue of running affected Chrome versions.

Exploitability

Exploitability is straightforward for an attacker. The attack requires only a crafted HTML page and user interaction—no privileged access, no complex setup, and no software vulnerabilities in the victim's operating system. An attacker need only trick a user into visiting a malicious web page (via phishing, malvertising, or a compromised website) to trigger the vulnerability. The lack of privileges required and low attack complexity make this practical in real-world scenarios. However, it has not been added to the CISA KEV catalog, suggesting either limited active exploitation in the wild or rapid patching.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's automatic update mechanism should deliver this patch, but users should verify their version number in Chrome's settings (Menu > About > Help > About Google Chrome) to confirm they are protected. No workarounds are available; patching is the only remediation.

Patch guidance

Prioritize deployment of Chrome 149.0.7827.53 or later across your organization. If you manage Chrome via enterprise deployment tools, verify that your automated update channels include this version. Test the patch in a non-production environment first if your organization has custom Chrome configurations or extensions. For users on managed devices, leverage Mobile Device Management (MDM) or Group Policy to enforce the patch. Users on personal devices should enable automatic updates if not already enabled and check that Chrome has updated to the patched version within two weeks of this advisory.

Detection guidance

Monitor for signs of suspicious HTML content being delivered to users; this is difficult to detect at the endpoint without deep content inspection. Network-level detection should focus on identifying phishing campaigns or watering holes known to distribute exploit pages. Behavioral indicators of successful exploitation are subtle—look for unusual cross-origin data access patterns in web application logs or unexpected API calls from users' browsers. If your organization uses browser telemetry, correlate Chrome version information with user activity to identify unpatched systems. Vulnerability scanners that audit browser versions on managed devices can confirm patch deployment status.

Why prioritize this

Despite a Medium CVSS score, this vulnerability warrants prioritized patching because it requires only user interaction (not a system compromise) to leak sensitive data, can be exploited via simple HTML, and affects the widely used Chrome browser across all major operating systems. The low barrier to weaponization makes it attractive to attackers conducting targeted phishing or managing compromised websites. Organizations should prioritize this within two to four weeks depending on their risk tolerance and the sensitivity of data users access via their browsers.

Risk score, explained

The CVSS 6.5 (Medium) score reflects high confidentiality impact but no integrity or availability impact, combined with a network attack vector and low attack complexity. The requirement for user interaction (UI:R) moderately reduces the score. Chromium's Medium severity rating aligns with this assessment. This is not a critical remote code execution or a vulnerability causing denial of service; rather, it is a targeted data exposure risk that nevertheless should not be ignored given its ease of exploitation.

Frequently asked questions

Can an attacker steal my password or login credentials?

Yes. If your login credentials or session tokens are stored or processed in a way accessible to JavaScript, they could be exfiltrated via this vulnerability. Websites using secure, HTTP-only cookies are better protected, but sensitive data entered into web forms or displayed on the page could still be leaked.

Do I need to do anything besides update Chrome?

Once you have updated to Chrome 149.0.7827.53 or later, the vulnerability is patched. However, you should practice general web hygiene: avoid clicking links in unsolicited emails, keep your browser extensions minimal and from trusted sources, and be cautious about the websites you visit.

Is my data already compromised?

This vulnerability has not been actively exploited at scale according to public reports. However, if you visited a malicious website before patching, it is possible your data was exposed. Monitor your accounts for suspicious activity and consider changing passwords on sensitive services if you believe you may have visited an exploit page.

Why does the vulnerability affect multiple operating systems if it's in Chrome?

Chrome runs on Windows, macOS, and Linux. The Paint implementation vulnerability exists in Chrome itself, not in the OS. All versions of Chrome with the vulnerable code, regardless of operating system, are affected. Updating Chrome on your specific OS resolves the issue.

This analysis is provided for informational purposes and represents SEC.co's interpretation of available vulnerability data as of the publication date. Patch version numbers, affected product versions, and other technical details are sourced from official vendor advisories and the CVE record. Organizations should verify patch availability and compatibility with their specific deployments before applying updates. No exploit code or detailed attack methodology is provided. This vulnerability has not been confirmed in public exploit databases or added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the analysis date. Readers should consult official Google Chrome release notes and their own risk assessments when prioritizing remediation. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).