MEDIUM 4.3

CVE-2026-11155: Chrome CSS Cross-Origin Data Leak Vulnerability

Google Chrome versions prior to 149.0.7827.53 contain a flaw in how CSS is processed that could allow an attacker to trick a user into visiting a malicious website where sensitive data from other sites (cross-origin data) could be leaked. The attack requires user interaction—specifically clicking a link or visiting a crafted page—but does not require the attacker to have special permissions or bypass other security controls. The leaked information would be visible only to the attacker, not modified or destroyed.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-352
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

A CSS implementation vulnerability in Chrome allows improper handling of cross-origin resources, enabling information disclosure through a specially crafted HTML page. The vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), indicating a weakness in same-origin policy enforcement or request validation. Attackers can craft a malicious page that, when visited by a user, triggers CSS processing that leaks data from pages the user has access to on other origins. No authentication is required, and the attack surface is broad since any network-accessible page can host the exploit. The attack vector is network-based with low complexity, but human interaction (visiting the page) is necessary for exploitation.

Business impact

This vulnerability primarily poses a data confidentiality risk to Chrome users. Organizations where employees browse untrusted websites or receive phishing emails linking to malicious sites face potential exposure of sensitive cross-origin data—such as intranet pages, cloud application dashboards, or internal services—if those users are simultaneously authenticated to multiple sensitive web applications. The impact is contained to information disclosure and does not enable direct code execution, data modification, or service disruption. For most enterprises, the risk is moderate provided users follow safe browsing practices.

Affected systems

Google Chrome prior to version 149.0.7827.53 is directly affected. The vulnerability also impacts Chrome's presence on Windows, macOS, and Linux platforms. Users on any supported operating system running an older Chrome build are at risk. Chromium-based browsers (Edge, Brave, Opera, etc.) may be affected depending on their update cadence and whether they incorporate the patched Chromium code.

Exploitability

Exploitation is straightforward from an attacker perspective but requires social engineering. An attacker creates a malicious HTML page embedding crafted CSS and distributes a link via email, social media, or compromised websites. When a user visits the page, the CSS processes without user awareness, leaking cross-origin data back to the attacker. No special tools or zero-day techniques are needed beyond the vulnerability itself. However, real-world impact depends on the user's browsing context—concurrent authentication to sensitive services increases exposure. The CVSS score of 4.3 (Medium) reflects the low attack complexity offset by the requirement for user interaction and limited scope of data exposure.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Google's auto-update mechanism should deploy this patch automatically for most users, but verification is recommended in enterprise environments using managed Chrome deployments. Users on Windows, macOS, and Linux should check Chrome's About page (Menu > About Google Chrome) to confirm the running version and force an immediate check for updates if needed. No workarounds are available; patching is the only mitigation.

Patch guidance

Chrome 149.0.7827.53 and all subsequent releases contain the fix. Administrators managing Chrome through policies (via Google Admin Console or equivalent tools) should verify that update channels are set to deliver this version or later. For organizations using Chromium directly or custom builds, ensure the patched Chromium version is compiled and deployed. Test the patch in a pilot group before broad rollout to confirm compatibility with internal web applications. Verify the running version post-deployment using the About Chrome page or policy reporting tools.

Detection guidance

Monitor for outbound network connections from user devices to suspicious domains known to host CSS-based exploits or phishing pages. Endpoint detection and response (EDR) solutions can track Chrome process behavior, flagging unusual CSS processing or rapid cross-origin requests. Web proxy logs may reveal users accessing known malicious sites. Security teams should educate users on recognizing phishing and malicious links. Internal monitoring of cross-origin data access patterns (e.g., via Content Security Policy logs) may detect attempted exfiltration, though the vulnerability operates below typical CSP visibility. Patch deployment monitoring will confirm remediation coverage.

Why prioritize this

While the CVSS score is moderate (4.3), this vulnerability merits timely but not emergency patching. The attack requires user interaction and social engineering, reducing the likelihood of mass exploitation. However, targeted attacks against high-value targets (executives, finance teams) using phishing or watering-hole tactics to leak sensitive internal data are plausible. Prioritize patching for users with access to sensitive cross-origin resources or those in high-risk roles. General user populations can follow the standard patch cycle, typically within 1–2 weeks of release.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects: (1) Network attack vector (AV:N) — easily exploitable from the internet; (2) Low attack complexity (AC:L) — no special conditions needed; (3) No privileges required (PR:N); (4) User interaction required (UI:R) — the main limiting factor, as the user must visit the malicious page; (5) Unchanged scope (S:U) — the vulnerability does not cross trust boundaries; (6) Low confidentiality impact (C:L) — data is leaked but the exposure is limited in scope. The 'Medium' severity label appropriately captures that this is a real but contained risk, especially in focused attack scenarios.

Frequently asked questions

Does this vulnerability affect my browser if I only visit trusted websites?

The risk is significantly lower if you only visit trusted, well-known sites. However, the vulnerability still presents risk if an attacker compromises a legitimate site or if you accidentally click a malicious link in an email or ad. Applying the patch eliminates the vulnerability entirely regardless of browsing habits.

Can this vulnerability steal my passwords or banking credentials?

No. The vulnerability leaks cross-origin data accessible to the browser in the current session (e.g., pages you're logged into). It cannot extract stored passwords, cookies in HttpOnly mode, or credentials not yet loaded into the page. That said, an attacker could potentially leak sensitive information from pages you're authenticated to, which could aid further attacks.

If I use a non-Chrome browser, am I safe?

If you use Firefox, Safari, or another non-Chromium browser exclusively, you are not directly affected by this Chrome vulnerability. However, Chromium-based browsers (Edge, Brave, Opera, Vivaldi) may be vulnerable if they have not yet incorporated the patch from Chromium 149.0.7827.53. Check your browser's version and update accordingly.

Why isn't this vulnerability on the KEV catalog?

The CISA Known Exploited Vulnerabilities (KEV) catalog focuses on vulnerabilities with confirmed active exploitation in the wild or strong evidence of weaponization. This vulnerability has not met that threshold yet. Its presence on KEV would indicate imminent or active mass exploitation requiring emergency response; its absence reflects current threat intelligence but does not mean the vulnerability is unimportant or should be ignored.

This analysis is based on vendor disclosures and CVSS metrics as of the publication date. Exploit code, proof-of-concept details, or active threat information are not provided. Security teams should verify patch availability and compatibility in their environment before deployment. This document does not constitute legal, compliance, or insurance advice. Organizations should conduct their own risk assessment and follow internal change management procedures when deploying patches. SEC.co does not endorse any third-party tools or services mentioned. For the most current information, consult Google's official Chrome security advisory and your vendor's guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).