MEDIUM 5.9

CVE-2026-11199: Chrome WebRTC Cross-Origin Data Leak Vulnerability

Google Chrome versions before 149.0.7827.53 contain a flaw in how WebRTC handles network traffic that could allow an attacker positioned on the same network to steal sensitive information across website boundaries. The vulnerability requires the attacker to be in a privileged network position—such as on a shared Wi-Fi network or controlling network infrastructure—but does not require user interaction or special permissions. The risk is limited to information disclosure; the flaw cannot be used to modify data or crash the browser.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in WebRTC in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11199 stems from an inappropriate implementation in Chrome's WebRTC subsystem that fails to properly isolate cross-origin data from malicious network traffic. The vulnerability is classified as CWE-20 (Improper Input Validation), indicating that Chrome's WebRTC component does not adequately validate or filter network-sourced data before exposing it to web content. An attacker with network-level access (AV:N, AC:H) can craft malicious traffic to trigger the flaw and exfiltrate confidential information. The CVSS 3.1 vector (5.9, MEDIUM) reflects high confidentiality impact but no integrity or availability compromise.

Business impact

This vulnerability poses a confidentiality risk primarily to users on untrusted networks—particularly those connecting via public Wi-Fi, compromised corporate networks, or ISP-level attackers in certain regions. Organizations with strict data sensitivity requirements (finance, healthcare, legal) should prioritize patching because users may inadvertently leak session data, authentication tokens, or personal information during video calls or real-time communication sessions. The impact is mitigated by the requirement for attacker network positioning, making this less critical than remote code execution vulnerabilities, but the stealthy nature of network-based attacks means detection and prevention may be challenging.

Affected systems

Google Chrome is the primary affected product and the source of the vulnerability. The vulnerability also affects systems running Chrome on macOS, Linux, and Windows platforms. Users on any operating system running Chrome versions prior to 149.0.7827.53 are at risk. Note that while the vendor list includes the operating systems themselves, the vulnerability resides in the Chrome application; patching Chrome is the primary mitigation.

Exploitability

Exploitation requires an attacker to occupy a privileged network position (e.g., rogue access point, ISP-level position, or compromised network segment). The attacker must craft malicious network traffic that interacts with an active WebRTC session. This is not trivial—the attacker cannot exploit the vulnerability remotely over the open internet from an arbitrary location, and user interaction is not required, which keeps the difficulty moderate. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active in-the-wild exploitation as of the publication date.

Remediation

Users and administrators must upgrade Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically handles this transparently, but users should verify their current version (Chrome menu > About Google Chrome) and restart the browser to complete the update if necessary. Organizations managing Chrome deployments should use group policies or mobile device management (MDM) platforms to enforce the minimum version requirement and prevent rollback to vulnerable versions.

Patch guidance

Verify that Chrome has auto-updated to 149.0.7827.53 or later by navigating to Chrome Settings > About Google Chrome, which will display the current version and check for updates. If an older version is displayed, manually trigger an update and restart the browser. For enterprise deployments, verify that policies enforcing minimum Chrome versions are in place and are being applied to all managed devices. Test WebRTC functionality (video/audio calls, screen sharing) after patching to ensure no regressions in real-time communication features. Consider pushing the update through MDM or WSUS to accelerate coverage across the organization.

Detection guidance

Network-based detection is challenging since the attack operates at the WebRTC protocol layer. Organizations can monitor for suspicious network traffic patterns around WebRTC sessions on untrusted networks, but this requires protocol-aware network monitoring tools. Endpoint detection should focus on verifying Chrome version compliance via asset inventory and configuration management databases. Monitor user reports of unexpected data exposure or unusual activity on video call platforms. Consider using browser isolation or network segmentation to limit user exposure to untrusted networks where such attacks are most feasible.

Why prioritize this

While the CVSS score (5.9, MEDIUM) is moderate, several factors warrant priority attention: (1) Chrome's ubiquity means millions of users are potentially exposed; (2) the vulnerability affects confidentiality of sensitive communications, particularly concerning for users in regulated industries; (3) network-based attacks can be difficult to detect and prevent at the endpoint; (4) the patch is straightforward and carries low deployment risk due to Chrome's mature auto-update infrastructure. Organizations should prioritize patching over the next 1–2 weeks, with higher urgency for users in regulated or high-sensitivity roles.

Risk score, explained

The CVSS 3.1 score of 5.9 reflects a MEDIUM severity. Network accessibility (AV:N) and high confidentiality impact (C:H) drive the score upward, but the requirement for a privileged attacker position (AC:H) and lack of integrity or availability impact moderate the final rating. This is appropriate: the vulnerability is real and affects widespread software, but exploitation barriers (network positioning) and limited scope (information disclosure only) prevent a higher score. Organizations should not dismiss MEDIUM-severity vulnerabilities; this score indicates a material risk that warrants timely patching.

Frequently asked questions

Do I need to be concerned if I only use Chrome on my home Wi-Fi network?

If your home Wi-Fi is secured with a strong password and you trust everyone with access, your risk is low. However, if you connect to public Wi-Fi (coffee shops, airports, hotels), an attacker could exploit this vulnerability to eavesdrop on WebRTC-based communications like video calls. Patch Chrome regardless, and consider avoiding sensitive real-time communications on untrusted networks until you have updated.

Will Chrome auto-update protect me, or do I need to manually patch?

Chrome's auto-update mechanism will deploy the fix automatically in most cases, but updates are delivered in waves and may take a few days. You can accelerate protection by manually checking for updates in Settings > About Google Chrome. For enterprise environments, administrators should enforce the patch via policy rather than relying solely on auto-update.

Is this vulnerability exploitable from the open internet, or only on the same network as me?

The attacker must be in a privileged network position—typically on the same network segment or controlling network infrastructure (router, ISP). They cannot exploit the vulnerability remotely from an arbitrary location on the internet. This limits the threat landscape but does not eliminate it, especially on public or untrusted networks.

What data can be leaked, and how do I know if I've been compromised?

The vulnerability allows leakage of cross-origin data during WebRTC sessions, which could include session tokens, audio/video streams, or metadata. Detection is difficult because the attack is stealthy and occurs at the network layer. Monitor for unexpected sign-outs, unusual account activity, or suspicious login attempts from unfamiliar locations, and consider changing passwords if you used public Wi-Fi around the vulnerability publication date.

This analysis is provided for informational purposes to support vulnerability management and patch prioritization. SEC.co does not provide guarantee of accuracy regarding third-party CVE data, vendor patch versions, or exploitation timelines. Organizations should verify all patch version numbers and compatibility against official vendor advisories before deployment. This explainer does not constitute legal, security, or business advice. Consult your security team and conduct risk assessment tailored to your environment. SEC.co assumes no liability for decisions made based on this content. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).