CVE-2026-11159: Chrome Skia Memory Leak Cross-Origin Data Exposure
A memory safety issue in Google Chrome's Skia graphics library allows attackers to steal data from websites you visit. By crafting a malicious HTML page, an attacker could trick your browser into exposing information that should remain private to other websites—a cross-origin data leak. The vulnerability requires user interaction (clicking or viewing the page) but doesn't require special browser settings or authentication. Google patched this in Chrome 149.0.7827.53 and later versions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11159 is an uninitialized variable vulnerability (CWE-457) in Skia, Google's open-source 2D graphics library used by Chromium. When Skia processes certain graphics operations in a crafted HTML page, uninitialized memory may be read and exposed to JavaScript, enabling exfiltration of sensitive data across security boundaries. The vulnerability has a CVSS 3.1 score of 4.3 (Medium) with a network-based attack vector, low complexity, no privilege requirements, and user interaction needed. The impact is confidentiality loss without integrity or availability consequences.
Business impact
While the CVSS score is moderate, this vulnerability poses a real privacy risk in enterprise environments. An attacker could harvest credential previews, session tokens, or personally identifiable information from users browsing sensitive internal or third-party sites. The requirement for user interaction (visiting a malicious page) makes it suitable for targeted phishing or watering-hole campaigns against specific organizations. For businesses with strict data protection obligations (GDPR, HIPAA, SOC 2), any cross-origin data leak represents a compliance concern and potential incident notification requirement.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability also impacts Chromium-based browsers on multiple platforms: Apple macOS, Linux systems (including those running the Linux kernel), and Microsoft Windows. Organizations should audit all Chromium-derived browsers in their environments, including Brave, Edge, Opera, and others that inherit Chromium code.
Exploitability
Exploitability is moderate. An attacker must craft a specific HTML page and convince or trick a user into visiting it—no drive-by download or zero-click mechanism is involved. Once a user views the page, the uninitialized memory leak occurs automatically without further user action. The attack is deterministic given the right conditions, making it reliable for targeted campaigns. No public exploit code or weaponized POC is known to be widely available, but the simplicity of the underlying flaw (uninitialized variable) suggests reproduction and exploitation are straightforward for a competent attacker.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. For users of Chromium-based browsers (Edge, Brave, etc.), verify patch availability from the respective vendor—timelines may vary. macOS users should ensure Chrome auto-updates are enabled or manually trigger an update. Linux users should update via their distribution's package manager or download the latest stable build from Google. No workarounds short of avoiding untrusted websites exist.
Patch guidance
Deploy Chrome 149.0.7827.53 or later across your organization. If you manage Chromium-based browsers, confirm patch versions with each vendor's security advisory. Enable auto-update if not already active. Test the update in a small pilot group to verify no compatibility issues with internal web applications, then roll out broadly. For managed deployments (Windows domain, macOS MDM), use your device management platform to enforce the minimum version. Verify patching completion within 30 days of availability.
Detection guidance
Monitor Chrome version telemetry in your endpoint management system for machines still running pre-149.0.7827.53 versions. Check for browser crashes or unexpected behavior on systems that may have encountered a malicious page before patching. Review network logs for outbound data exfiltration from sensitive internal web applications if you suspect targeted attacks. Monitor for phishing emails or watering-hole indicators that could precede exploitation. Web application firewalls may flag unusual data patterns in responses, though the vulnerability occurs client-side and may be difficult to detect at the network layer.
Why prioritize this
Despite its Medium severity rating, this vulnerability warrants prompt attention because it targets confidentiality through data exfiltration—a top concern for regulated organizations. The attack vector is network-based and requires only user interaction, making it practical for targeted campaigns against your workforce. Chromium's ubiquity means nearly all your users are likely affected. While not critical, treating it as a high-priority patch (30-day remediation target) aligns with security best practices for privacy-relevant flaws.
Risk score, explained
CVSS 3.1 score of 4.3 reflects a Medium-severity issue: the attack is network-based with low complexity and no authentication required (AV:N/AC:L/PR:N), but user interaction is mandatory (UI:R), and impact is limited to confidentiality in an unchanged security context (S:U/C:L/I:N/A:N). The score appropriately captures that this is a privacy leak, not a system compromise or denial-of-service attack. However, business context—regulatory exposure, targeted user population, enterprise data sensitivity—may warrant treating it more aggressively than the numerical score suggests.
Frequently asked questions
Can I be exploited if I don't click anything?
No, the vulnerability requires user interaction. You must visit or view the malicious HTML page for the leak to occur. Passive browsing or having a tab open in the background is not sufficient, though the page does not require you to actively click buttons or fill forms—simply rendering the page may trigger the condition.
Will this leak my passwords or payment card data?
Not directly. The vulnerability leaks uninitialized memory, which could contain fragments of previously processed data from other websites or the browser cache. This might include session cookies, authentication tokens, or PII visible in cached content, but not encrypted credentials stored securely by the browser. The actual payload depends on what data was in memory at that moment.
Are Chrome extensions or add-ons affected?
The vulnerability is in Skia, the core graphics library, so any extension or web page running in Chrome is potentially affected. However, Chrome's sandboxing limits what memory an attacker can access—typically data from the same rendering process, not system-wide memory.
Why does the CVSS score seem low if this is a data leak?
CVSS 4.3 is considered Medium severity because the scope (S:U) is unchanged, meaning the attacker gains access within the same security context and cannot impact other systems. The user interaction requirement and limited confidentiality impact (one rendering context's memory) also lower the score. However, CVSS does not account for privacy regulations or your organization's risk tolerance, so your internal risk assessment may reasonably rate this higher.
This analysis is provided for informational purposes and based on data available as of the publication date. CVSS scores and severity ratings are determined by the CVE record and should be verified against the authoritative source. Patch version numbers and timelines should be confirmed with official vendor advisories before deployment. No exploit code or weaponized proof-of-concept is provided or endorsed. Organizations should conduct their own risk assessment and testing before implementing patches in production environments. SEC.co assumes no liability for decisions made based on this intelligence. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11039MEDIUMChrome Skia Uninitialized Variable Data Leak Vulnerability
- CVE-2026-11057MEDIUMChrome Skia Uninitialized Memory Leak – 6.5 CVSS
- CVE-2026-11067MEDIUMChrome Memory Disclosure Vulnerability in Dawn – Patch to 149.0.7827.53
- CVE-2026-11087MEDIUMChrome ANGLE Memory Leak Allows Cross-Origin Data Theft
- CVE-2026-11089MEDIUMGoogle Chrome Memory Disclosure in Media Handling
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11104MEDIUMChrome ANGLE Uninitialized Memory Disclosure (CVSS 6.5)
- CVE-2026-11109MEDIUMANGLE Uninitialized Use Data Leak in Chrome – Patch Guidance