MEDIUM 6.5

CVE-2026-11176: Chrome Cross-Origin Data Leak via Media Handling Flaw

Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles media content that could allow an attacker to trick a user into visiting a malicious webpage and steal sensitive data from other websites the user is logged into. The attacker cannot exploit this remotely without user interaction—the victim must visit the crafted page—but once there, the browser's media handling could be bypassed to reveal cross-origin information that should remain private.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-346
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11176 is a cross-origin data leak vulnerability stemming from inappropriate implementation in Chrome's Media component (CWE-346: Origin Validation Error). The flaw permits a remote attacker to exfiltrate sensitive data across security boundaries via a specially crafted HTML page. The vulnerability has a CVSS 3.1 score of 6.5 (Medium) with a network vector, low attack complexity, no privilege requirement, and user interaction needed. Impact is confidentiality (High); integrity and availability are unaffected. The vulnerability was patched in Chrome 149.0.7827.53 and later.

Business impact

This vulnerability poses a confidentiality risk to users of affected Chrome browsers. If exploited, attackers could harvest authentication tokens, session cookies, or personal data from other websites, potentially leading to account compromise or identity theft. Organizations relying on web applications to protect sensitive data should recognize that Chrome users visiting malicious sites could leak information from authenticated sessions. The requirement for user interaction limits blast radius, but the high confidence nature (no further exploitation steps needed once the page loads) makes it a meaningful risk for security-conscious deployments.

Affected systems

Google Chrome prior to version 149.0.7827.53 on Windows, macOS, and Linux platforms is vulnerable. Users on all three major operating systems running older Chrome builds are at risk. Linux kernel, Windows, and macOS are listed as affected platforms, indicating the vulnerability is cross-platform and not OS-specific; the vulnerability resides in Chrome itself.

Exploitability

Exploitation requires remote delivery of a crafted HTML page and user interaction (the user must visit the malicious page). No special privileges are required on the target system, and the attack can be launched over the network. Once a user is tricked into opening the page, the media handling flaw can be triggered without further user action, making the bar for exploitation relatively low despite the initial UI requirement. No public exploits have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. Check the official Chrome release notes to confirm the patch version for your OS. For enterprises managing Chrome deployments, use group policy or mobile device management (MDM) solutions to enforce automatic updates. Users can manually update via Chrome's built-in auto-update mechanism (Settings > About Google Chrome).

Patch guidance

Verify that Chrome auto-updates are enabled in your environment. For Windows, macOS, and Linux, Chrome typically updates automatically in the background and prompts users to restart the browser. Confirm all users are running 149.0.7827.53 or a newer version (Settings > About Google Chrome displays the current version). If managing Chrome centrally, reference Google's Chrome Enterprise release notes to ensure your managed version has been updated past 149.0.7827.53. No further configuration changes are needed after patching.

Detection guidance

Monitor Chrome version numbers across your organization using endpoint detection and response (EDR) tools or mobile device management reporting. Identify machines running Chrome versions earlier than 149.0.7827.53. Web-based detection is limited since this is a client-side vulnerability; focus on version auditing rather than network signatures. Security teams can review browser logs and user activity around the vulnerability disclosure date (June 4, 2026) to identify potential exploitation attempts, though evidence may be limited without additional logging infrastructure. Consider blocking or warning users about known malicious sites that attempt to trigger this flaw (if IoCs are disclosed by Google or security researchers).

Why prioritize this

Although the CVSS score is 6.5 (Medium), this vulnerability warrants prioritization because it enables confidentiality breaches (High impact) with minimal attack complexity and no privilege requirement. Cross-origin data leaks directly threaten user credentials and sensitive application data. While KEV status is not active, the attack surface is broad (all Chrome users on Windows, macOS, Linux) and the user interaction barrier is low (visiting a link). Organizations should treat this as a high-priority patch in their Chrome fleet to prevent session hijacking and data theft.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a Medium severity rating based on: (1) High confidentiality impact (sensitive data leakage), (2) No integrity or availability impact, (3) Network-based attack vector requiring no privileges, (4) User interaction as a prerequisite. The Medium classification understates practical risk because confidentiality breaches involving cross-origin data are business-critical in web security. Organizations managing sensitive web applications should weight this higher than the numeric score alone suggests.

Frequently asked questions

Can this vulnerability steal my passwords directly?

Not directly. The vulnerability leaks data from other websites you are logged into, which may include authentication tokens, cookies, or session data. An attacker could use this data to impersonate you or access your accounts. Your password itself is less likely to be transmitted in a way this flaw could intercept, but session tokens are typically sufficient for account takeover.

Do I need to change my passwords if I visited a suspicious website?

If you suspect you may have visited a malicious page before patching Chrome, review your account activity and consider changing passwords as a precaution—particularly for high-value accounts (email, banking, work systems). Most importantly, update Chrome immediately to 149.0.7827.53 or later to prevent future exploitation.

Does this affect Chrome on mobile devices?

Yes. Google Chrome on Android and iOS is affected if running a version prior to 149.0.7827.53. Ensure mobile devices are updated via the Google Play Store (Android) or Apple App Store (iOS). Mobile users should receive auto-updates, but verify your device Chrome version in settings.

Is there any way to protect myself without updating?

Updating is the only reliable mitigation. As a temporary defense, avoid clicking on unfamiliar links, and use security extensions that block known malicious domains. However, these measures are insufficient and not a substitute for patching. Update Chrome as soon as possible.

This analysis is provided for informational purposes and is based on publicly available vulnerability data as of the publication date. CVSS scores, affected versions, and patch information are derived from official vendor advisories and the National Vulnerability Database. Actual exploitation success depends on user behavior and specific browser configurations. Organizations should consult Google's official Chrome security release notes and their own vulnerability management policies before deploying patches. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends independent verification of all patch versions and remediation steps. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).