CVE-2026-11155: Chrome CSS Cross-Origin Data Leak Vulnerability
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how CSS is processed that could allow an attacker to trick a user into visiting a malicious website where sensitive data from other sites (cross-origin data) could be leaked. The attack requires user interaction—specifically clicking a link or visiting a crafted page—but does not require the attacker to have special permissions or bypass other security controls. The leaked information would be visible only to the attacker, not modified or destroyed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-352
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
A CSS implementation vulnerability in Chrome allows improper handling of cross-origin resources, enabling information disclosure through a specially crafted HTML page. The vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), indicating a weakness in same-origin policy enforcement or request validation. Attackers can craft a malicious page that, when visited by a user, triggers CSS processing that leaks data from pages the user has access to on other origins. No authentication is required, and the attack surface is broad since any network-accessible page can host the exploit. The attack vector is network-based with low complexity, but human interaction (visiting the page) is necessary for exploitation.
Business impact
This vulnerability primarily poses a data confidentiality risk to Chrome users. Organizations where employees browse untrusted websites or receive phishing emails linking to malicious sites face potential exposure of sensitive cross-origin data—such as intranet pages, cloud application dashboards, or internal services—if those users are simultaneously authenticated to multiple sensitive web applications. The impact is contained to information disclosure and does not enable direct code execution, data modification, or service disruption. For most enterprises, the risk is moderate provided users follow safe browsing practices.
Affected systems
Google Chrome prior to version 149.0.7827.53 is directly affected. The vulnerability also impacts Chrome's presence on Windows, macOS, and Linux platforms. Users on any supported operating system running an older Chrome build are at risk. Chromium-based browsers (Edge, Brave, Opera, etc.) may be affected depending on their update cadence and whether they incorporate the patched Chromium code.
Exploitability
Exploitation is straightforward from an attacker perspective but requires social engineering. An attacker creates a malicious HTML page embedding crafted CSS and distributes a link via email, social media, or compromised websites. When a user visits the page, the CSS processes without user awareness, leaking cross-origin data back to the attacker. No special tools or zero-day techniques are needed beyond the vulnerability itself. However, real-world impact depends on the user's browsing context—concurrent authentication to sensitive services increases exposure. The CVSS score of 4.3 (Medium) reflects the low attack complexity offset by the requirement for user interaction and limited scope of data exposure.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Google's auto-update mechanism should deploy this patch automatically for most users, but verification is recommended in enterprise environments using managed Chrome deployments. Users on Windows, macOS, and Linux should check Chrome's About page (Menu > About Google Chrome) to confirm the running version and force an immediate check for updates if needed. No workarounds are available; patching is the only mitigation.
Patch guidance
Chrome 149.0.7827.53 and all subsequent releases contain the fix. Administrators managing Chrome through policies (via Google Admin Console or equivalent tools) should verify that update channels are set to deliver this version or later. For organizations using Chromium directly or custom builds, ensure the patched Chromium version is compiled and deployed. Test the patch in a pilot group before broad rollout to confirm compatibility with internal web applications. Verify the running version post-deployment using the About Chrome page or policy reporting tools.
Detection guidance
Monitor for outbound network connections from user devices to suspicious domains known to host CSS-based exploits or phishing pages. Endpoint detection and response (EDR) solutions can track Chrome process behavior, flagging unusual CSS processing or rapid cross-origin requests. Web proxy logs may reveal users accessing known malicious sites. Security teams should educate users on recognizing phishing and malicious links. Internal monitoring of cross-origin data access patterns (e.g., via Content Security Policy logs) may detect attempted exfiltration, though the vulnerability operates below typical CSP visibility. Patch deployment monitoring will confirm remediation coverage.
Why prioritize this
While the CVSS score is moderate (4.3), this vulnerability merits timely but not emergency patching. The attack requires user interaction and social engineering, reducing the likelihood of mass exploitation. However, targeted attacks against high-value targets (executives, finance teams) using phishing or watering-hole tactics to leak sensitive internal data are plausible. Prioritize patching for users with access to sensitive cross-origin resources or those in high-risk roles. General user populations can follow the standard patch cycle, typically within 1–2 weeks of release.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: (1) Network attack vector (AV:N) — easily exploitable from the internet; (2) Low attack complexity (AC:L) — no special conditions needed; (3) No privileges required (PR:N); (4) User interaction required (UI:R) — the main limiting factor, as the user must visit the malicious page; (5) Unchanged scope (S:U) — the vulnerability does not cross trust boundaries; (6) Low confidentiality impact (C:L) — data is leaked but the exposure is limited in scope. The 'Medium' severity label appropriately captures that this is a real but contained risk, especially in focused attack scenarios.
Frequently asked questions
Does this vulnerability affect my browser if I only visit trusted websites?
The risk is significantly lower if you only visit trusted, well-known sites. However, the vulnerability still presents risk if an attacker compromises a legitimate site or if you accidentally click a malicious link in an email or ad. Applying the patch eliminates the vulnerability entirely regardless of browsing habits.
Can this vulnerability steal my passwords or banking credentials?
No. The vulnerability leaks cross-origin data accessible to the browser in the current session (e.g., pages you're logged into). It cannot extract stored passwords, cookies in HttpOnly mode, or credentials not yet loaded into the page. That said, an attacker could potentially leak sensitive information from pages you're authenticated to, which could aid further attacks.
If I use a non-Chrome browser, am I safe?
If you use Firefox, Safari, or another non-Chromium browser exclusively, you are not directly affected by this Chrome vulnerability. However, Chromium-based browsers (Edge, Brave, Opera, Vivaldi) may be vulnerable if they have not yet incorporated the patch from Chromium 149.0.7827.53. Check your browser's version and update accordingly.
Why isn't this vulnerability on the KEV catalog?
The CISA Known Exploited Vulnerabilities (KEV) catalog focuses on vulnerabilities with confirmed active exploitation in the wild or strong evidence of weaponization. This vulnerability has not met that threshold yet. Its presence on KEV would indicate imminent or active mass exploitation requiring emergency response; its absence reflects current threat intelligence but does not mean the vulnerability is unimportant or should be ignored.
This analysis is based on vendor disclosures and CVSS metrics as of the publication date. Exploit code, proof-of-concept details, or active threat information are not provided. Security teams should verify patch availability and compatibility in their environment before deployment. This document does not constitute legal, compliance, or insurance advice. Organizations should conduct their own risk assessment and follow internal change management procedures when deploying patches. SEC.co does not endorse any third-party tools or services mentioned. For the most current information, consult Google's official Chrome security advisory and your vendor's guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11106MEDIUMCross-Origin Data Leak in Google Chrome Media Component
- CVE-2026-11129MEDIUMChrome Extension Cross-Origin Data Leak Vulnerability
- CVE-2026-11134MEDIUMChrome Media Component Cross-Origin Data Leak Vulnerability
- CVE-2026-11139MEDIUMChrome Cross-Origin Data Leak in Paint Implementation
- CVE-2026-11156MEDIUMGoogle Chrome CSS Cross-Origin Data Leak