CVE-2026-11162: Chrome CSS Cross-Origin Data Leak Vulnerability
Google Chrome versions before 149.0.7827.53 contain a vulnerability in how the browser handles CSS that can allow attackers to steal data from other websites. An attacker would need to trick a user into visiting a malicious webpage, but once there, the flawed CSS implementation could expose sensitive information from pages the user has open in other tabs or windows. The risk is limited to information disclosure—the vulnerability does not allow attackers to modify data or crash the browser.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11162 is a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerability stemming from inappropriate CSS implementation in Chrome's rendering engine. The flaw permits a network-based attacker to craft an HTML page that, when loaded by a user, exploits CSS parsing or application logic to read cross-origin data that should be protected by the Same-Origin Policy. The CVSS 3.1 score of 4.3 (Medium) reflects the requirement for user interaction and the confidentiality-only impact, with no elevation of privilege or availability concerns.
Business impact
Organizations whose employees rely on Chrome as their primary browser face potential exposure of sensitive business data if users visit compromised or malicious sites. This is particularly concerning for teams handling multi-tab workflows involving authentication tokens, private documents, or cross-domain applications. While the vulnerability requires user action to trigger, the ease of delivery via a crafted webpage and the potential breadth of exposed data mean that affected users could leak credentials, proprietary information, or personal data without awareness. The impact scales with how many users access sensitive web applications in Chrome.
Affected systems
The vulnerability affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53. Because Chrome is distributed across multiple operating systems and automatically updates on most configurations, the risk population depends on organizational Chrome deployment practices and update cadence. Users on older versions or organizations with delayed update policies face the highest exposure.
Exploitability
Exploitability is moderate. The attack requires a user to visit a crafted HTML page (network-accessible, low attack complexity), but does require user interaction—the user must click the link or visit the attacker's site. No authentication is needed. Once delivered, the CSS-based exploit operates client-side without requiring specific system configuration or software beyond the vulnerable browser version. The barrier to weaponization is low, though the attack depends on social engineering or compromised third-party content to direct users to the malicious page.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Most Chrome installations update automatically; verify completion by opening Chrome menu → Help → About Google Chrome. For enterprise deployments with managed update policies, confirm that update distribution has completed across your fleet. No workarounds are available; patching is the only mitigation.
Patch guidance
Verify that Chrome has updated to 149.0.7827.53 or a later stable release. On Windows, macOS, and Linux, users can check Settings → About Chrome, which will display both the current version and initiate updates if available. Organizations using Chrome Enterprise or Chromebook management should verify policy-based rollout via their Admin Console. Test critical multi-tab workflows after update to confirm no regression in application functionality.
Detection guidance
Monitor Chrome version inventory in your environment to ensure no systems remain on pre-149.0.7827.53 builds. Endpoint Detection and Response (EDR) tools can flag Chrome versions against a baseline; many vulnerability scanners now include Chrome version checks. Browser usage logs may help identify which users accessed external or untrusted sites around the time the vulnerability was active, though post-compromise attribution is difficult. Consider network controls limiting access to known malicious domains, though the vulnerability itself does not generate distinctive network signatures.
Why prioritize this
Despite a Medium CVSS score, this vulnerability merits prompt attention because it enables silent data leakage across a widely-used browser. The low attack complexity, minimal user friction (clicking a link), and potential for exfiltrating high-value credentials or business data mean that it poses a non-trivial business risk. However, it is not critical because it requires active user participation and does not enable code execution or lateral movement. Organizations should patch within their standard critical or high-priority update windows (within 1–2 weeks of availability).
Risk score, explained
The CVSS 3.1 score of 4.3 reflects a network-based attack (AV:N), low attack complexity (AC:L), no special privileges required (PR:N), and the necessity of user interaction (UI:R). The impact is limited to confidentiality loss (C:L) with no integrity or availability compromise (I:N, A:N). This places the issue in the Medium band. In practice, the true business risk may be higher if your organization handles sensitive data in web applications, because the ease and stealth of exploitation could lead to undetected breaches; however, the absence of privilege escalation, code execution, or service disruption justifies the Medium technical rating.
Frequently asked questions
Can this vulnerability be exploited without a user visiting a malicious website?
No. The attack requires a user to visit a crafted HTML page. The vulnerability does not exploit browser networking, system libraries, or background processes. A user must actively load the attacker's page for the CSS-based data leak to occur.
Does Chrome's automatic update feature protect me?
Yes, if automatic updates are enabled (the default on most installations). Chrome will update to 149.0.7827.53 automatically and prompt the user to restart the browser. Check Settings → About Chrome to verify your current version and trigger an immediate update if needed.
What data can be stolen through this vulnerability?
The vulnerability permits reading content from cross-origin pages—typically data visible in the browser's DOM that should be protected by the Same-Origin Policy. This could include session tokens, form fields, displayed text, or metadata from other open tabs. The exact scope depends on what content is rendered and how the exploit is structured.
Is this vulnerability being actively exploited in the wild?
As of the last update, this vulnerability is not on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no confirmed active exploitation has been reported. However, the low barrier to weaponization suggests that prudent patching should not wait for evidence of in-the-wild attacks.
This analysis is provided for informational purposes and based on available CVE and vendor data as of June 2026. SEC.co does not operate an official Chrome update service; patch version numbers and availability should be verified against the official Google Chrome Release Notes and Security Updates page. Exploit code and detailed proof-of-concept steps are not published here. Organizations should test patches in non-production environments before broad deployment. Your cybersecurity and legal teams should tailor response decisions based on your specific threat model, user population, and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11182MEDIUMChrome SVG Cross-Origin Data Leak Vulnerability
- CVE-2026-11209MEDIUMGoogle Chrome Password Memory Disclosure (CVSS 6.5)
- CVE-2026-11271MEDIUMChrome Password Feature Information Disclosure Vulnerability
- CVE-2026-9981MEDIUMChrome Skia Information Disclosure Vulnerability – Patch Guidance
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer