CVE-2026-11142: Chrome Paint Same-Origin Policy Bypass Vulnerability
A flaw in Google Chrome's Paint feature prior to version 149.0.7827.53 allows attackers to bypass the browser's same-origin policy through a maliciously crafted webpage. An attacker could trick a user into visiting their page and potentially access or manipulate content that should be isolated from other websites. The vulnerability requires user interaction but poses a meaningful integrity risk to web security boundaries.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11142 describes insufficient policy enforcement within Chrome's Paint subsystem that permits same-origin policy circumvention. The vulnerability resides in how Chrome validates and enforces origin restrictions during Paint operations, allowing a network attacker to craft HTML content that, when loaded by a user, violates the expected isolation between different origins. The flaw is classified as CWE-639 (Authorization through User-Controlled Key), reflecting a breakdown in proper origin verification during a sensitive browser operation. This is a client-side bypass requiring user navigation to the malicious page.
Business impact
Successful exploitation undermines the foundational security model of web browsers—the same-origin policy. An attacker leveraging this vulnerability could potentially access user data from other websites, modify content in ways the user does not expect, or perform actions on behalf of the user across different origins. For organizations whose users rely on multi-tab browsing or web-based applications, this creates cross-site integrity violations that could affect authentication tokens, session data, or sensitive user information. The impact is heightened in environments with privileged web applications or sensitive SaaS platforms.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. The vulnerability affects Chrome on all major platforms: Windows, macOS, and Linux systems running vulnerable browser versions. While the vulnerability is in Chrome itself, the operating systems listed (Windows, macOS, Linux) indicate the breadth of affected platforms. Users on any of these systems running an older Chrome version are at risk.
Exploitability
Exploitation requires a user to visit a crafted webpage, making this a network-based attack with low attack complexity and no elevated privileges needed. The CVSS vector reflects this: the attack is unauthenticated and remotely deliverable. However, it does require user interaction—specifically, the user must navigate to the attacker's page or a compromised legitimate page hosting the payload. This is not passively exploitable but is relatively straightforward to deliver via social engineering, malicious ads, or compromised websites. The vulnerability is not currently listed in the CISA KEV catalog, indicating no evidence of active weaponization or in-the-wild exploitation as of the publication date.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically deploys patches automatically, but users can manually verify their version via Chrome's settings (Help > About Google Chrome). Organizations should ensure their Chrome deployments, including managed instances, are updated. No workarounds exist; patching is the only mitigation.
Patch guidance
Deploy Chrome 149.0.7827.53 or a subsequent stable release. Organizations using Chrome managed policies should test the patch in a limited environment before full rollout to ensure compatibility with business-critical web applications. Chrome's frequent update cadence means this patch will be superseded by newer versions; ensure internal monitoring confirms the presence of a patched version. Verify the installed version matches or exceeds 149.0.7827.53 using the browser's about page or enterprise management tools.
Detection guidance
Detection is challenging at the network level since the attack relies on user navigation to a crafted page. Monitor for unusual browser crashes or instability following user visits to untrusted sites, though this is not definitive. Endpoint detection should focus on ensuring Chrome versions are current via asset inventory or mobile device management (MDM) tools. Web proxies and security information and event management (SIEM) systems can log visits to known malicious domains, but the vulnerability itself does not produce distinctive network signatures. Organizations should prioritize patch validation and version compliance scanning.
Why prioritize this
This vulnerability merits prompt attention despite its MEDIUM severity and lack of KEV listing. Same-origin policy bypasses are fundamental browser security breaks that, while limited in scope to Paint operations, could enable credential theft or malicious content injection. The low attack complexity and user-interaction requirement make this exploitable at scale via social engineering. Organizations should prioritize patching within their standard update windows—typically within 1–2 weeks of release. This is not an emergency patch requiring immediate out-of-band deployment, but it should not be deferred.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects a remotely exploitable vulnerability (AV:N, AC:L, PR:N) that requires user interaction (UI:R) and results in integrity impact (I:H) but no confidentiality or availability loss (C:N, A:N). The score appropriately captures that this is a boundary-crossing integrity violation rather than a data leak or denial-of-service. The absence of confidentiality impact distinguishes this from more severe same-origin bypasses, though the integrity dimension is significant. The MEDIUM rating aligns with Chromium's own severity assessment.
Frequently asked questions
Does this vulnerability affect Chrome on iOS or Android?
The vulnerability affects Chrome on Windows, macOS, and Linux as indicated in the source data. Chrome on iOS and Android may have separate codebases and patching schedules; verify with Google's security advisories specific to mobile platforms if you manage those environments.
Can an attacker exploit this without the user visiting a webpage?
No. The attack requires user interaction—the user must navigate to a crafted HTML page. This is not a passive vulnerability that affects users simply by having Chrome open or installed.
What does same-origin policy mean in this context?
Same-origin policy is a core browser security rule that prevents scripts or content from one website from accessing data from another website. A bypass allows attackers to violate this isolation. In this case, the Paint subsystem did not properly enforce origin checks, creating a gap.
Why is this not listed in CISA's KEV catalog?
CISA's Known Exploited Vulnerabilities (KEV) catalog tracks vulnerabilities with evidence of active, in-the-wild exploitation by threat actors. The absence of this CVE from KEV as of its publication date means there is no documented evidence of real-world attacks, though the vulnerability remains a legitimate priority for patching.
This analysis is based on publicly available information from the CVE record and Google Chromium security advisories as of June 2026. Patch availability and version numbers should be verified against official Google Chrome release notes and HTTPS advisories. Organizations should validate all patches in a test environment before broad deployment. This document does not constitute legal or formal security advice; consult your security team and vendor advisories for definitive guidance. No exploit proof-of-concept code or detailed attack reproduction steps are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)