MEDIUM 4.3

CVE-2026-11253: Chrome Permissions Flaw Allows Cross-Origin Data Leak

Google Chrome contained a flaw in how it handled permissions that could allow an attacker to trick users into visiting a specially crafted web page and leak data from other websites the user was visiting. The vulnerability requires user interaction (clicking or viewing a malicious page) and only affects data confidentiality, not system availability or integrity. Google has patched this in Chrome 149.0.7827.53 and later.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-362
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11253 is a cross-origin data leak vulnerability stemming from an inappropriate permissions implementation in Google Chrome's security model. The flaw is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), indicating a logic error in how the browser enforces origin isolation. An attacker can craft malicious HTML content that, when visited by a user, bypasses standard same-origin policy protections and exfiltrates sensitive data from pages in different origins within the same browsing context. The attack vector is network-based with low attack complexity, but requires user interaction to succeed. Chromium's security team assessed the original vulnerability severity as Low, though the assigned CVSS 3.1 score of 4.3 (Medium) reflects the confidentiality impact potential.

Business impact

This vulnerability poses a moderate data confidentiality risk for organizations whose users access sensitive web applications through Chrome. Potential exposure includes session tokens, personal information, or confidential business data from other open tabs if a user is socially engineered into visiting an attacker-controlled page. The impact is most significant for organizations handling regulated data (finance, healthcare, law) where cross-site data leakage could trigger compliance violations or breach notification obligations. However, the requirement for active user participation and the fact that no code execution or system compromise occurs limits the overall organizational blast radius.

Affected systems

The vulnerability affects Google Chrome on multiple platforms: Windows, macOS, and Linux systems running Chrome versions prior to 149.0.7827.53. Users on Windows, macOS, and Linux systems using affected Chrome versions are at risk. The flaw does not affect the underlying operating system kernels; the Linux kernel is listed as an affected product in the CVE metadata but the vulnerability is specific to Chrome's browser rendering engine and permission logic, not the kernel itself.

Exploitability

This vulnerability has a relatively low barrier to exploitation. An attacker needs only to host a malicious HTML page and convince a user to visit it—no special software, plugins, or advanced techniques required. However, successful exploitation depends on the user simultaneously having a sensitive website open in another tab or window, and the attacker must know or guess which site to target for data leakage. The attack cannot be carried out silently; it requires the user to interact with the malicious page. No public exploit code or active in-the-wild attacks have been disclosed as of the CVE publication date, and the vulnerability is not tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Users should update Google Chrome to version 149.0.7827.53 or later immediately. Chrome's automatic update mechanism typically deploys patches within 24–48 hours for most users, but manual checking via Settings → About Chrome expedites the process. Organizations should verify patch deployment across their endpoint fleet. For environments where Chrome updates are centrally managed, administrators should confirm the update is staged and rolled out. No workarounds are available short of disabling cross-site data sharing features, which would degrade browser functionality; patching is the only reliable remediation.

Patch guidance

Verify that your Chrome installations are running version 149.0.7827.53 or later. For centrally managed environments, verify the update through your mobile device management (MDM) or endpoint management system. Check Settings → About Chrome (on Mac: Chrome menu → About Google Chrome; on Linux: hamburger menu → About Google Chrome) to confirm the current version. If auto-update is disabled in your organization, manually trigger the update. Test functionality of web applications after patching to ensure no compatibility issues. For macOS and Linux users, the same version number applies across platforms.

Detection guidance

Detection of exploitation attempts is challenging without direct access to browser logs or network traffic inspection. Security teams can monitor for suspicious user activity patterns: reports of unexpected data disclosure, session hijacking, or unauthorized access to sensitive web applications during periods when affected Chrome versions were in use. Endpoint detection and response (EDR) tools should flag unusual inter-process communication or memory access patterns in chrome.exe or chromium processes, though the permissions flaw itself may not generate obvious system-level signals. Network-based detection is limited; attackers need not exfiltrate data to external networks—they may simply read it within the browser context.

Why prioritize this

Assign this vulnerability medium priority based on its CVSS 4.3 score and real confidentiality impact, but it does not require emergency response. The requirement for user interaction, the absence of code execution or system compromise, and the lack of active exploitation reduce urgency compared to higher-severity flaws. Prioritize patching for user populations handling sensitive data (compliance, finance, healthcare teams) within 2–4 weeks. General user populations can follow standard patch cycles. Organizations not yet on Chrome 149 should assess their current version and plan rollout accordingly.

Risk score, explained

The CVSS 3.1 score of 4.3 (Medium) reflects a network-accessible vulnerability requiring user interaction, with a confidentiality impact but no impact to integrity or availability. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N denotes: network attack surface, low attack complexity, no privilege required, user interaction mandatory, unchanged scope, and low confidentiality loss. The 'Low' Chromium severity designation likely reflects the browser team's assessment that typical users have limited exposure, but the CVSS score acknowledges meaningful confidentiality risk in scenarios where sensitive data is simultaneously accessible in multiple browser origins.

Frequently asked questions

Can this vulnerability be exploited without the user clicking anything?

No. The attack requires the user to interact with the attacker's crafted HTML page—visiting the page, clicking a link, or otherwise triggering the browser to load and process the malicious content. A passive presence on a network is not sufficient.

Does this vulnerability allow an attacker to execute code on my computer?

No. The flaw is a data leak within the browser's permission model, not a code execution vulnerability. An attacker can only read data from other browser origins; they cannot install malware, modify files, or compromise the operating system.

What should organizations do if they are still running Chrome versions older than 149.0.7827.53?

Update immediately via Settings → About Chrome for manual updates, or confirm auto-update is enabled. For managed deployments, stage and roll out version 149.0.7827.53 or later through your IT management platform. Verify deployment within 2–4 weeks, prioritizing users with access to sensitive applications.

Are other browsers or Chromium-based browsers affected?

This CVE is specific to Google Chrome. Chromium-based browsers (Edge, Brave, Opera, etc.) may be affected if they use the same vulnerable code path and have not backported the fix. Check your browser vendor's security advisories for their respective patch status.

This analysis is provided for informational purposes and should not be construed as legal or compliance advice. Organizations must verify all patch versions, affected product versions, and deployment guidance against official vendor advisories before taking action. CVSS scores are provided by the National Vulnerability Database (NVD) and may vary across different vulnerability assessment organizations. The absence of a vulnerability from the CISA KEV catalog does not guarantee it is not being exploited; it indicates only that CISA has not confirmed active exploitation at the time of publication. All remediation guidance should be tested in non-production environments before enterprise deployment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).