CVE-2026-11156: Google Chrome CSS Cross-Origin Data Leak
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how it handles CSS styling rules that can allow an attacker to extract data from other websites you have open in your browser. An attacker would need to trick you into visiting a malicious webpage, and if successful could read sensitive information from other tabs or windows—such as content from your email, banking site, or other services—that you're simultaneously visiting. This is a cross-origin data leak vulnerability affecting the browser's CSS implementation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-352
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an inappropriate implementation in Chrome's CSS processing engine that fails to properly enforce cross-origin isolation boundaries. Specifically, the flaw allows a remote attacker to construct a crafted HTML page that, when visited, can infer or extract data from pages loaded under different origins. The attack relies on CSS-based side channels or timing/rendering behaviors that leak information across origin boundaries. The issue is classified as CWE-352 (Cross-Site Request Forgery), though the root cause is CSS-specific implementation weakness. Chrome's Chromium project assessed this as Medium severity.
Business impact
For organizations, this vulnerability primarily affects employee browsing security when staff access multiple sensitive web applications simultaneously (cloud platforms, SaaS tools, internal portals). An attacker hosting a malicious ad or compromised webpage could silently exfiltrate session tokens, API keys, or private data from concurrent sessions. The impact is contained to the compromised user's browser session and does not spread laterally, but the confidentiality risk is notable for knowledge workers handling authentication tokens or sensitive business information in web applications. No system integrity or availability impact.
Affected systems
The vulnerability affects Google Chrome on Windows, macOS, and Linux systems. Any user running Chrome prior to version 149.0.7827.53 is vulnerable when visiting untrusted or compromised webpages. The underlying Chromium engine also affects Chrome-based browsers on all listed platforms. Other platforms and Chromium variants should be evaluated against their respective release timelines.
Exploitability
Exploitability is practical but not trivial. An attacker must craft a malicious HTML page and deliver it to a target user, who must then visit it while simultaneously logged into another sensitive web service. No special privileges or authentication are required from the attacker's side. However, the attack requires user interaction (visiting the webpage) and specific conditions (concurrent active sessions to extract data from). There is no known public exploit code, and this vulnerability is not on the CISA Known Exploited Vulnerabilities list as of the latest update, suggesting real-world exploitation remains limited.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome typically auto-updates, but users should verify they are on the latest version by opening Chrome, going to Settings > About Chrome, and allowing any pending updates to complete. For enterprise environments, Chrome policies should be configured to enforce automatic updates or push this version to managed devices. Users of other Chromium-based browsers should check the vendor's release notes to confirm equivalent fixes are included.
Patch guidance
Google has released Chrome 149.0.7827.53 which contains the fix. Check your current version in Settings > About Chrome—the browser will show your version number and automatically download patches. For managed deployments, verify the Chrome version policy is set to enforce updates. Organizations using Chromium-based browsers (Edge, Brave, Vivaldi, etc.) should review vendor advisories for equivalent patched versions. Testing can proceed on non-production machines or in controlled pilot groups before broad rollout.
Detection guidance
Detection at the endpoint level is difficult because this attack occurs entirely within the browser's rendering engine and does not generate network anomalies. Security teams should focus on: (1) ensuring Chrome auto-update policies are enabled and monitored, (2) tracking browser version numbers through endpoint management tools to confirm > 149.0.7827.53 across the fleet, (3) monitoring for any unusual session activity or token reuse that might indicate credential compromise via this method, and (4) reviewing web browsing logs for access to known malicious domains. No EDR signature is practical for this CSS-based side channel.
Why prioritize this
Although the CVSS score is moderate (4.3), the vulnerability warrants prompt patching because: (1) it requires only user interaction and network access to exploit, (2) it directly undermines the security assumption that different websites cannot see each other's data, (3) it affects a ubiquitous application that handles authentication tokens and sensitive business data, and (4) Chrome's auto-update mechanism means most users will receive the patch automatically within days. Organizations should ensure patch deployment within 30 days; this is not an emergency but should not be deferred beyond standard patch cycles.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects: Network-based attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction needed (UI:R). The impact is confidentiality loss (C:L) with no integrity or availability damage. The score appropriately captures that this is a data leak requiring end-user interaction, not a remote code execution or system takeover. The Chromium security team's Medium designation aligns with CVSS.
Frequently asked questions
Can this vulnerability steal my passwords or login credentials?
Potentially, but only in a narrow sense. The vulnerability leaks data visible in the DOM of other pages you have open—which could include session cookies, authentication tokens embedded in the page, or other sensitive content. It cannot intercept passwords during login or compromise your password manager. If you keep sensitive information in plaintext on a web page, that content could be leaked.
Do I need to do anything if my Chrome updates automatically?
No. Chrome's auto-update feature should deploy version 149.0.7827.53 automatically; you may just need to restart the browser. However, verify your version in Settings > About Chrome to confirm the patch is applied. Force a restart of Chrome if you have not done so in several days.
What is CWE-352 and why is it relevant here?
CWE-352 is Cross-Site Request Forgery, which traditionally refers to attacks that forge requests on behalf of a user. In this case, the classification is somewhat broad—the root issue is CSS-based cross-origin data leakage, which the Chromium team categorized under CWE-352 because the attack exploits the lack of proper origin enforcement in CSS rendering.
Will other browsers like Firefox or Safari be affected?
This specific vulnerability is in Google Chrome's CSS implementation. Firefox and Safari have their own rendering engines and are not directly affected by this Chromium flaw. However, any browser built on Chromium (Edge, Brave, Vivaldi, Opera, etc.) will need updates from their respective vendors to fix the same issue.
This analysis is provided for informational purposes and should not be considered legal or compliance advice. Vulnerability severity and exploitability can vary based on your environment, network configuration, and user behavior. Always verify vendor advisories and test patches in non-production environments before deployment. SEC.co makes no warranty regarding the accuracy of third-party data and recommends independent verification of all technical claims. Consult your security team and vendor documentation before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11106MEDIUMCross-Origin Data Leak in Google Chrome Media Component
- CVE-2026-11129MEDIUMChrome Extension Cross-Origin Data Leak Vulnerability
- CVE-2026-11134MEDIUMChrome Media Component Cross-Origin Data Leak Vulnerability
- CVE-2026-11139MEDIUMChrome Cross-Origin Data Leak in Paint Implementation
- CVE-2026-11155MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability