CVE-2026-11182: Chrome SVG Cross-Origin Data Leak Vulnerability
Google Chrome contains a vulnerability in how it processes SVG (Scalable Vector Graphics) content that could allow an attacker to steal sensitive data from websites you visit. An attacker would need to trick you into visiting a malicious webpage, but if successful, they could potentially read information that should be protected between different websites—such as authentication tokens, account details, or other private data. The vulnerability affects Chrome versions before 149.0.7827.53.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11182 is a cross-origin data disclosure vulnerability stemming from an inappropriate SVG implementation in Chrome's rendering engine. The flaw permits information disclosure (CWE-200) across security boundaries when a user visits a crafted HTML page. The attacker cannot modify or delete data, and the vulnerability requires user interaction (clicking a link, visiting a site). Network-based delivery with no special privileges required makes this a direct remote vector. Chrome's sandbox architecture limits exposure, but the breach of same-origin policy in SVG processing represents a meaningful confidentiality risk.
Business impact
Organizations should consider the prevalence of Chrome in their environment when prioritizing this patch. While the vulnerability requires user interaction and doesn't enable code execution or data modification, the potential to exfiltrate session tokens or authentication credentials could lead to account takeover. For enterprises with BYOD policies or employees using Chrome on corporate networks, unpatched instances could serve as stepping stones to internal systems. The reputational impact of data leakage affecting customers or partners may also warrant faster remediation timelines.
Affected systems
This vulnerability affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53. While the vulnerability is specific to Chrome, the underlying operating systems (Windows, macOS, and Linux kernel) are listed as affected contexts, meaning all instances of vulnerable Chrome across these platforms require patching. Other Chromium-based browsers (Edge, Opera, Brave, etc.) may also be at risk depending on their update schedules relative to the Chromium project.
Exploitability
The vulnerability has a CVSS score of 6.5 (Medium) and requires user interaction—specifically, a user must visit an attacker-controlled or compromised website. No authentication or special privileges are needed from the attacker's perspective, and it exploits a network-accessible component. The attack surface is broad (any website could be weaponized), but the attack is not self-propagating. As of the publication date, this vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog, suggesting active exploitation in the wild has not been publicly documented, though this does not guarantee absence of threat actor interest.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's automatic update mechanism should deploy this patch within days of the release; users can manually verify their version via Chrome menu > About Google Chrome. Organizations should verify patch deployment across managed devices and consider temporarily restricting access to untrusted websites on unpatched systems if immediate patching is not feasible. Chromium-based browsers should be checked for corresponding updates from their respective vendors.
Patch guidance
Google released Chrome 149.0.7827.53 as the fixed version on or around June 4, 2026. Verify your current Chrome version under Settings > About > Google Chrome, which will automatically check for updates and display your installed version. If you are below 149.0.7827.53, initiate an update immediately. For enterprise deployments using Google Chrome policies, ensure that your update management configuration enforces the minimum version requirement. Users should not delay updating, as the fix is widely available and installation is non-disruptive. Check the official Google Chrome release notes for any platform-specific considerations.
Detection guidance
Monitor Chrome version inventory across your fleet using endpoint detection and response (EDR) tools, mobile device management (MDM) solutions, or browser telemetry. Flag any instances running versions before 149.0.7827.53. Review web proxy or firewall logs for unusual cross-origin requests or data exfiltration patterns, though detection of exploitation after the fact is difficult without application-level logging. If concerned about past exploitation, examine authentication logs for anomalous session creation or access from unexpected geolocations, as stolen tokens would typically be used to access accounts.
Why prioritize this
Although rated Medium severity and not yet in active public exploitation, this vulnerability warrants prompt attention due to its potential for credential theft and broad attack surface. Any unpatched Chrome instance is a potential attack vector. The requirement for user interaction does not meaningfully reduce risk in environments where employees visit diverse websites. Prioritize patching internet-facing systems and BYOD devices before systems with restricted web access. The patch is trivial to deploy, making delay unjustifiable.
Risk score, explained
The CVSS 6.5 score reflects moderate confidentiality impact (cross-origin data leak) with no integrity or availability component, coupled with network accessibility and user interaction. The vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N indicates the attack is straightforward to mount (low complexity), requires no prior access, but demands end-user action. Absence from the KEV catalog suggests no widespread active exploitation as of the publication date, which moderates the score but does not eliminate the risk. Organizations handling sensitive user data should weight this higher than the base score alone suggests.
Frequently asked questions
Can I be attacked without visiting a malicious website?
No. The vulnerability requires you to visit a crafted webpage—either a malicious site or a legitimate site that has been compromised. Simply having Chrome open is not enough; a user must navigate to an attacker-controlled page for the exploit to trigger.
Will this vulnerability allow an attacker to run malware on my computer?
No. This is a data disclosure vulnerability, not a code execution flaw. An attacker cannot install software, delete files, or modify your system. They can only read sensitive data that crosses security boundaries, such as authentication tokens or personal information from other websites.
Are Chromium-based browsers like Edge or Opera also affected?
Potentially, yes. These browsers are built on Chromium and may be vulnerable until their vendors release corresponding patches. Check your browser's update status independently. However, the disclosed vulnerability specifically identifies Chrome, so vendor advisories for other browsers should be consulted for confirmation.
What data could be at risk if I don't patch?
An attacker exploiting this SVG vulnerability could potentially access authentication cookies, session tokens, or other sensitive data stored for websites you have visited. This could lead to account takeover if the stolen credentials are used to log into your accounts. The specific data at risk depends on which websites you visit before the patch is installed.
This analysis is based on publicly available vulnerability disclosures and vendor information current as of the publication date. CVSS scores and severity ratings are derived from official sources and should be validated against the latest vendor advisories. Organizations should verify patch availability and compatibility in their specific environments before deployment. This document does not constitute legal or compliance advice. For the most current information, consult Google's official Chrome security updates and your organization's vulnerability management policy. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11209MEDIUMGoogle Chrome Password Memory Disclosure (CVSS 6.5)
- CVE-2026-11271MEDIUMChrome Password Feature Information Disclosure Vulnerability
- CVE-2026-9981MEDIUMChrome Skia Information Disclosure Vulnerability – Patch Guidance
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer