CVE-2026-11160: Chrome Linux Out-of-Bounds Memory Read Vulnerability
Google Chrome on Linux versions before 149.0.7827.53 contains a memory reading flaw in its input handling. An attacker can trick a user into visiting a specially crafted webpage, causing Chrome to leak sensitive data from the browser process's memory—such as cached passwords, session tokens, or other confidential information. The vulnerability requires user interaction (clicking a link or visiting a site) but no special privileges, and affects only Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds read in Input in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11160 is an out-of-bounds read vulnerability (CWE-125) in Chrome's Input subsystem on Linux. The flaw allows an unauthenticated remote attacker to read memory outside the intended bounds of a buffer, potentially exposing sensitive process memory. The attack vector is network-based with low complexity; it requires user interaction to visit a malicious HTML page. The vulnerability has a CVSS 3.1 score of 6.5 (Medium severity) with high confidentiality impact but no integrity or availability impact. Chromium classified this as Medium severity internally.
Business impact
This vulnerability could enable attackers to harvest sensitive data from Chrome users on Linux, including authentication credentials, personal information, or session data. The requirement for user interaction limits the scope of mass exploitation, but targeted phishing campaigns could be effective. Organizations with significant Linux-based workforces relying on Chrome for web access face elevated risk of credential compromise and subsequent lateral movement. The confidentiality breach risk justifies prompt patching to prevent data exfiltration attacks.
Affected systems
Google Chrome on Linux operating systems running versions prior to 149.0.7827.53 are vulnerable. Windows and macOS versions of Chrome are not affected by this particular flaw. Linux system administrators and individual Linux users using Chrome should verify their installed version and apply the update. Other Chromium-based browsers on Linux may warrant separate evaluation depending on their patch status.
Exploitability
Exploitation requires delivering a crafted HTML page to a user and obtaining their interaction (visiting the page in Chrome). No authentication, elevated privileges, or complex conditions are needed on the attacker side, making the attack straightforward once the user is redirected or socially engineered. The low attack complexity and network vector indicate moderate real-world exploitability. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of the latest data, suggesting active exploitation in the wild has not yet been formally documented, though this does not rule out targeted or limited attacks.
Remediation
Update Google Chrome on Linux systems to version 149.0.7827.53 or later. Chrome typically auto-updates on most Linux distributions, but users should verify completion by checking Settings > About Google Chrome. For enterprise environments, administrators should deploy the update through their standard patch management processes and confirm rollout across all Linux workstations. No workarounds are available; patching is the required mitigation.
Patch guidance
Chrome users on Linux should update to version 149.0.7827.53 or later as soon as possible. Most users will receive updates automatically; check chrome://settings/help to trigger a manual check and restart. For managed deployments, verify that auto-update policies are enabled or use your configuration management tooling to push the new version. Test the patch in a non-production environment first if your organization requires validation before broad rollout.
Detection guidance
Monitor for Chrome processes accessing memory regions outside normal bounds by reviewing kernel logs or endpoint detection systems for out-of-bounds memory access patterns. Network teams should watch for POST/GET requests to suspicious or newly registered domains combined with Chrome user sessions. Endpoint Detection and Response (EDR) tools can flag processes attempting to read sensitive memory. Log user browsing history for visits to unfamiliar or malicious sites around the time credential compromise is suspected. Monitor for unusual authentication attempts or session abuse following potential exposure.
Why prioritize this
Although classified as Medium severity with a CVSS score of 6.5, the high confidentiality impact and ease of exploitation warrant prioritization for Linux environments. The attack requires only user interaction and a network connection, making it a realistic threat in phishing and malware distribution campaigns. The lack of KEV designation suggests this is not yet a widespread, documented threat, providing a window to patch before adversaries mature exploitation techniques. Prioritize based on your organization's Linux Chrome user population and sensitivity of data accessible through browser sessions.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a Medium severity rating driven by high confidentiality impact (C:H), no integrity or availability impact (I:N, A:N), low attack complexity (AC:L), and network attack vector (AV:N). The requirement for user interaction (UI:R) prevents a higher score. The Medium severity from Chromium aligns with this calculation. Organizations should treat this as a timely but not emergency patch, though the data exfiltration risk elevates it above purely informational issues.
Frequently asked questions
Does this vulnerability affect Chrome on Windows or macOS?
No, this specific out-of-bounds read flaw only affects Google Chrome on Linux systems. Windows and macOS users are not impacted by CVE-2026-11160.
Can the vulnerability be exploited without user action?
No, the attacker must trick the user into visiting or viewing a crafted HTML page in Chrome. The vulnerability cannot be exploited remotely without some form of user interaction, such as clicking a link or visiting a malicious website.
What data is at risk if I'm exploited?
Sensitive information stored in Chrome's process memory could be exposed, potentially including cached login credentials, session tokens, browsing history, autofill data, or other personal information. The exact data depends on what Chrome has in memory at the moment of exploitation.
Is there an auto-update for Chrome that will patch this?
Yes, Chrome typically auto-updates on Linux. To ensure you have the patch, go to chrome://settings/help, which will check for updates and apply version 149.0.7827.53 or later automatically. Restart Chrome after the update completes.
This analysis is based on the vulnerability record as of the modification date (2026-06-17). Exploit details, patch availability, and real-world attack prevalence may evolve; consult the official Google Chrome security advisory and your vendor documentation for the most current information. This explainer does not provide legal, compliance, or specific incident response guidance; organizations should adapt recommendations to their risk profile and security policies. No exploit code or weaponization guidance is included. Verify patch versions and compatibility before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11051MEDIUMChrome ANGLE Out-of-Bounds Read on Linux – Patch Guide
- CVE-2026-11075MEDIUMOut-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11096MEDIUMChrome WebRTC Out-of-Bounds Read
- CVE-2026-11183MEDIUMChrome GWP-ASan Memory Disclosure – Patch Guidance