CVE-2026-11203: Chrome GPU Isolation Bypass on macOS Allows Cross-Origin Data Leak
Google Chrome on macOS has a flaw in how it handles GPU-related processes that could allow an attacker to steal sensitive data from websites you visit. The vulnerability requires user interaction—you would need to visit a malicious or compromised website—but once there, an attacker could potentially access information from other sites you have open in the browser. Google has patched this in Chrome version 149.0.7827.53 and later.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in GPU in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11203 is an information disclosure vulnerability in Chrome's GPU implementation affecting macOS systems. The root cause is inappropriate implementation in the GPU subsystem that fails to properly isolate cross-origin data. An attacker can craft a malicious HTML page that, when visited by a user, leverages this GPU-layer isolation bypass to exfiltrate data from different origins. The vulnerability is classified as CWE-200 (Information Exposure) and carries a CVSS v3.1 score of 6.5 (Medium), reflecting the requirement for user interaction and the confidentiality impact.
Business impact
This vulnerability creates a cross-site data theft risk for Chrome users on macOS. While not critical, the ability to leak cross-origin data undermines browser sandboxing assumptions and could expose sensitive information such as authentication tokens, personal data from banking sites, or proprietary information from intranet applications. For organizations relying on Chrome as the standard browser, this represents a confidentiality risk until patching is complete. The Medium severity classification suggests this is not an active mass-exploitation vector, but diligent patching remains important to close the window of exposure.
Affected systems
This vulnerability specifically affects Google Chrome on Apple macOS operating systems prior to version 149.0.7827.53. The flaw is in the GPU implementation layer and therefore requires a machine with GPU capabilities, though modern Macs universally include GPU hardware. Windows and Linux versions of Chrome are not affected. Users on older Chrome versions or those running auto-update disabled are at highest risk.
Exploitability
The vulnerability requires user interaction—a victim must visit an attacker-controlled or compromised website. No network complexity or special privileges are needed on the attacker side; a publicly hosted malicious page is sufficient. However, exploitation is not trivial; it depends on successfully crafting HTML that triggers the GPU isolation flaw, and user awareness of phishing or website compromise could serve as a practical defense layer. This is not listed in the Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active weaponized exploitation at the time of publication.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all macOS systems. For users with auto-update enabled, the patch will deploy automatically; those with manual updates should check Chrome's About page (Menu > About Google Chrome on Mac) to trigger an update check. No workarounds or configuration changes can mitigate this vulnerability; patching is the only remediation path.
Patch guidance
Verify that Chrome on your macOS fleet has updated to version 149.0.7827.53 or a later release. Check 'Chrome Menu > About Google Chrome' which will display the current version and automatically check for updates. Organizations managing Chrome via enterprise policies (via Google Admin or MDM solutions) should confirm that their deployment policies allow timely updates or explicitly deploy version 149.0.7827.53 or newer. The patch was released on 2026-06-04; allow 1–2 weeks for widespread deployment through auto-update channels.
Detection guidance
Monitor Chrome version numbers across your macOS fleet using endpoint detection tools, MDM solutions, or browser telemetry if available. Log malicious or suspicious website visits; network tools can flag access to known phishing or compromise vectors. Organizations without centralized Chrome reporting can audit individual machines via 'Chrome Menu > About Google Chrome.' There are no signature-based or behavioral indicators of exploitation; detection must focus on ensuring patching compliance. If you suspect exploitation, examine browser history for suspicious site visits and monitor accounts for unauthorized access or token theft.
Why prioritize this
This vulnerability merits moderate-to-high prioritization for macOS-using organizations because it bypasses browser sandbox assumptions and can leak cross-origin data, a foundational trust assumption for web-based security. While the CVSS score of 6.5 is Medium and exploitation requires user interaction, the confidentiality impact and potential to steal session tokens or sensitive data make it a practical risk. The absence of known active exploitation provides a window to patch before public toolkit availability increases. Prioritize patching for users accessing sensitive internal sites or financial services.
Risk score, explained
The CVSS v3.1 score of 6.5 reflects: (1) Network accessibility (AV:N) — attackers can host malicious content on the internet; (2) Low attack complexity (AC:L) — no special network conditions or specialized tooling required; (3) No privileges needed (PR:N); (4) User interaction required (UI:R) — victim must visit the malicious page; (5) High confidentiality impact (C:H) — sensitive cross-origin data can be leaked; (6) No integrity or availability impact (I:N/A:N). The Medium severity reflects the confidentiality breach potential offset by the user-interaction requirement and lack of cascading system damage.
Frequently asked questions
Will this attack work on Windows or Linux versions of Chrome?
No. This vulnerability is specific to Chrome's GPU implementation on macOS. Windows and Linux users are not affected, though they should maintain current Chrome versions for other security reasons.
Can I prevent this by disabling hardware acceleration in Chrome settings?
Disabling GPU acceleration may reduce attack surface, but it is not a guaranteed mitigation. The safest approach is to update to the patched version. If you must run an unpatched version, disabling hardware acceleration in Chrome Settings > Advanced > System may provide partial defense, but this is not a substitute for patching.
What data could an attacker steal?
An attacker could access data that other open browser tabs are loading or displaying, potentially including authentication cookies, session tokens, or sensitive personal information. The scope depends on what sites you have open and what data they expose to the GPU subsystem.
Is there active exploitation happening?
As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no evidence of active, widespread exploitation. However, this does not mean it will never be exploited, so timely patching is still important.
This analysis is based on official CVE, Chromium Security Advisory, and vendor patch release data as of the publication and modification dates noted. CVSS scores and severity ratings are provided by the official sources and reflect threat modeling at the time of release. Actual organizational risk may vary based on Chrome usage patterns, user awareness, and network segmentation. This document does not constitute professional security advice; consult your security team and vendor advisories for deployment-specific decisions. No exploit code or detailed attack reproduction steps are provided. Always verify patch applicability and test in a non-production environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11182MEDIUMChrome SVG Cross-Origin Data Leak Vulnerability
- CVE-2026-11209MEDIUMGoogle Chrome Password Memory Disclosure (CVSS 6.5)
- CVE-2026-11271MEDIUMChrome Password Feature Information Disclosure Vulnerability
- CVE-2026-9955MEDIUMCross-Origin Data Leak in Google Chrome on iOS
- CVE-2026-9981MEDIUMChrome Skia Information Disclosure Vulnerability – Patch Guidance