CVE-2026-11181: Chrome Media Session Same-Origin Policy Bypass (CVSS 6.3)
Google Chrome versions before 149.0.7827.53 contain a flaw in how the Media Session feature is implemented. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's same-origin policy—a fundamental security boundary that prevents websites from accessing data or functionality from other sites without permission. This could allow the attacker to read sensitive information, make unauthorized changes, or disrupt functionality within the context of other websites the user has open. The vulnerability requires user interaction (clicking a link or visiting a page) but does not require any special browser configuration.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-346
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Media Session in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11181 stems from an inappropriate implementation in Chrome's Media Session API (CWE-346: Origin Validation Error). The Media Session feature, which manages audio/video playback controls across browser tabs, failed to properly enforce origin boundaries. An attacker can craft a malicious HTML document that exploits this validation gap, allowing JavaScript execution in a context that violates the same-origin policy. The attacker gains the ability to read session state, initiate playback commands, or access cross-origin media metadata without proper authorization. The vulnerability affects Chrome on Windows, macOS, and Linux systems.
Business impact
Organizations must consider the risk of employee browsers being compromised through legitimate-appearing websites. If an employee visits an attacker's page while authenticated to corporate SaaS platforms, the attacker could potentially exfiltrate session tokens, user preferences, or other sensitive session data. This is particularly concerning in environments where employees use shared devices or where multiple sensitive web applications are accessed in the same browser session. The vulnerability does not directly impact enterprise infrastructure, but it undermines browser-based security assumptions that many organizations rely on for web application isolation.
Affected systems
Google Chrome on Windows, macOS, and Linux running any version prior to 149.0.7827.53 is vulnerable. This includes both the stable release channel and potentially earlier channels depending on deployment practices. The vulnerability affects all users of vulnerable Chrome versions regardless of extensions or additional configuration, though it requires the user to visit or interact with a crafted HTML page.
Exploitability
Exploitability is moderate to high. The attack requires only network access and user interaction (visiting a malicious page), with no authentication needed. The attack surface is broad—any website the attacker controls or can inject content into serves as a delivery mechanism. However, practical exploitation depends on the attacker identifying a useful same-origin boundary to cross and a valuable target (e.g., a banking site, email provider, or corporate application) that the user has authenticated to. The CVSS score of 6.3 (Medium) reflects this balance between ease of triggering and limited immediate impact scope.
Remediation
Upgrade Google Chrome to version 149.0.7827.53 or later. This patch corrects the Media Session origin validation logic. Users should enable automatic updates to ensure timely patching. Organizations managing Chrome through mobile device management (MDM) or enterprise policy tools should verify that update policies are configured to deploy this patch promptly.
Patch guidance
Chrome auto-updates are the primary remediation path for consumer and enterprise users. Verify the installed version via Chrome menu > Help > About Google Chrome, which will display the current version and initiate an update check if needed. For enterprise deployments using Chrome Enterprise, confirm that the browser policy settings permit updates and that the device has connectivity to reach Google's update servers. Organizations can verify patch deployment via enterprise reporting dashboards. No interim mitigations are available; patching is the only remediation.
Detection guidance
Monitor for suspicious browser behavior or unexpected cross-origin requests in network logs. Endpoint detection systems should flag Chrome versions older than 149.0.7827.53 during vulnerability scanning. Review browser history and DNS queries for visits to unknown or suspicious domains, particularly on devices with access to sensitive applications. Behavioral indicators include unusual Media Session API calls or excessive media metadata requests. Intrusion detection systems may identify exploit attempts through analysis of malformed Media Session requests, though signature-based detection is difficult given the client-side nature of the flaw.
Why prioritize this
This vulnerability merits prompt patching because it undermines a core browser security model (same-origin policy) that organizations depend on to isolate sensitive web applications. Although the CVSS score is medium and the vulnerability is not yet in active mass exploitation (KEV status: not listed), the low barrier to exploitation and the prevalence of Chrome in enterprise environments create meaningful risk. Prioritize patching for devices with access to sensitive internal or customer-facing web applications, and for users who frequently visit untrusted websites or click links in email.
Risk score, explained
The CVSS v3.1 score of 6.3 reflects: (1) network-based attack vector requiring only HTTP access, (2) low attack complexity with no special conditions, (3) no privileges required, (4) user interaction required (visiting a page), (5) limited scope (confined to the browser process), and (6) modest impact across confidentiality, integrity, and availability (each rated as low). The score appropriately captures that exploitation is straightforward but impact is bounded by browser sandbox constraints and requires the attacker to identify a useful cross-origin target.
Frequently asked questions
Does this vulnerability allow attackers to remotely execute code on my computer?
No. The vulnerability is confined to the browser process and allows same-origin policy bypass within the Media Session feature—not arbitrary code execution on the underlying operating system. However, in combination with other browser vulnerabilities, it could contribute to a broader attack chain.
Do I need to do anything if I have auto-update enabled?
Automatic updates in Chrome typically push patches within hours of release. Verify your version is 149.0.7827.53 or later via Help > About Google Chrome. If you see an older version, the update may be pending restart; close and reopen Chrome to complete the installation.
Can this vulnerability be exploited without me visiting a malicious website?
The vulnerability requires that you visit or interact with a page containing the malicious HTML payload. It cannot be triggered by passive network activity or simply by running Chrome. However, attackers could trick users into clicking links via email, social media, or compromised legitimate websites.
Why is this a 'Medium' severity if it bypasses same-origin policy?
Same-origin policy bypass is serious, but its impact is constrained by the browser sandbox and by the fact that the attacker must identify a useful cross-origin target that the user is authenticated to. Additionally, the attack requires user interaction and does not enable arbitrary system-level compromise. These factors collectively result in a Medium rating rather than a High or Critical rating.
This analysis is based on the CVE record and publicly available information current as of the analysis date. Patch versions and patch availability dates should be verified against the official Google Chrome security release notes (https://chromereleases.googleblog.com/) and your organization's update channels before deployment. This vulnerability has not been confirmed as actively exploited in the wild (KEV status: not listed); however, organizations should not interpret this as reduced risk—timely patching remains critical. No exploit code or weaponized proof-of-concept is provided in this analysis. Security decisions should factor in your organization's threat model, asset criticality, and change management processes. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-11036MEDIUMChrome Same-Origin Policy Bypass via DOM Implementation Flaw
- CVE-2026-11048MEDIUMChrome Extension Same-Origin Policy Bypass (Medium, 6.5)
- CVE-2026-11081MEDIUMChrome Canvas Same-Origin Policy Bypass
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11132MEDIUMChrome Same-Origin Policy Bypass in Paint Component