CVE-2026-11255: Chrome Storage Access API Data Leak – Patch to 149.0.7827.53
A flaw in Google Chrome's Storage Access API fails to properly check user input, creating a security gap. If an attacker first compromises Chrome's renderer process—the part that runs web content—they could exploit this gap to steal data from websites you've visited, even across security boundaries that normally block such access. The issue affects Chrome versions before 149.0.7827.53, as well as the underlying operating systems on macOS, Linux, and Windows where Chrome runs.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11255 involves insufficient input validation (CWE-20) in the Storage Access API within Google Chrome prior to version 149.0.7827.53. The vulnerability allows a remote attacker with a compromised renderer process to exfiltrate cross-origin data through a maliciously crafted HTML page. The Storage Access API is designed to mediate third-party cookie access in privacy-focused browser configurations; weak validation of untrusted input in this API creates a means to bypass intended access controls. Exploitation requires prior renderer process compromise, making this a post-compromise disclosure vulnerability.
Business impact
Organizations that standardize on Chrome for internal or customer-facing use face a data confidentiality risk if their systems are already targeted by an attacker with the capability to compromise the renderer process. The ability to leak cross-origin data could expose sensitive information from banking, email, or SaaS platforms. While the vulnerability requires a prior successful compromise, the ease of exploitation once that foothold exists (no user interaction required) elevates the risk for high-value targets. Patch deployment must be prioritized to close the exfiltration vector, particularly in environments where browser-based work involves sensitive data.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are directly vulnerable. The vulnerability's impact is platform-independent because it resides in Chrome's browser engine; however, the affected vendor list includes Apple macOS, Linux, and Microsoft Windows, reflecting the operating systems on which Chrome runs. Organizations should verify their Chrome deployment version and confirm patch availability for their OS distribution.
Exploitability
Exploitation requires two conditions: (1) the renderer process must already be compromised by an attacker, and (2) the attacker must serve a crafted HTML page to the compromised browser. Once both conditions are met, no user interaction is needed to trigger the leak (the network access vector is unauthenticated, low complexity). This is a high-impact post-compromise scenario—not a zero-click worm—but the low barrier to exploitation after the renderer is compromised makes it attractive to sophisticated adversaries already inside the network.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all affected systems. Verify the update through Chrome's built-in update mechanism (Settings > About Chrome) and confirm the version number post-reboot. Organizations managing Chrome deployments via mobile device management (MDM) or group policy should queue this update for immediate rollout. No workarounds or configuration changes are available; patching is the only remediation.
Patch guidance
Google Chrome updates are delivered automatically via the browser's updater; users should allow automatic restart when prompted. For managed deployments, push the update through your MDM console or enterprise Chrome management tools. Verify successful patching by checking chrome://version/ across a sample of endpoints. Consider a mandatory restart cycle within 24–48 hours of patch availability to reduce the window where the vulnerability remains exploitable. Third-party applications embedding Chromium or using the Chrome API surface (such as Electron-based apps) may also require updates; consult vendor advisories for those products.
Detection guidance
Detection at the network level is limited because exploitation occurs in-browser within an already-compromised renderer process. Focus detection efforts on: (1) monitoring for unexpected renderer crashes or instability patterns that may precede or indicate exploitation attempts, (2) endpoint telemetry for unusual cross-origin fetch patterns or Storage API calls that bypass policy, and (3) behavioral signals indicating data exfiltration to unexpected destinations. SIEM teams should correlate Chrome crash logs with outbound data transfers to suspicious hosts. Browser security event logs (if available via your MDM solution) should be reviewed for anomalous Storage Access API activity.
Why prioritize this
Although Chromium rates this as Low severity, the CVSS 3.1 score of 7.5 (HIGH) reflects the real-world confidentiality impact: an attacker with renderer-level access gains unauthenticated, no-interaction exfiltration of cross-origin data. The absence of KEV (Known Exploited Vulnerability) status suggests active exploitation is not yet widespread, but the attack surface is broad because any compromised renderer process becomes an exfiltration tool. Organizations with users accessing sensitive web services (banking, healthcare, SaaS platforms) should prioritize this patch within their normal critical update cycle (1–2 weeks).
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) is driven by: Attack Vector (Network) and Attack Complexity (Low) reflecting the remote, low-friction nature of exploitation; Privileges Required (None) and User Interaction (None) reflecting the post-compromise context where the renderer is already under attacker control; Confidentiality Impact (High) reflecting the ability to leak cross-origin data; Integrity and Availability Impact (None) reflecting that this is a disclosure-only flaw. The score appropriately balances the high impact (data exfiltration) against the prerequisite of renderer compromise. Organizations should not discount this as 'just' a post-compromise issue; renderer compromise is a realistic threat in targeted attacks and malware campaigns.
Frequently asked questions
Does this vulnerability allow attackers to steal my passwords or credit card data?
Only if the compromised renderer process accesses a website where you are already logged in. The vulnerability leaks cross-origin data that the renderer can access—typically the content of pages you've already loaded or authenticated to. If your browser is not logged into a banking or email site at the time of exploitation, that data cannot be leaked. However, attackers often compromise renderers as part of a broader infection, so assume an attacker may hold access for an extended period and gain visibility into multiple sessions.
Why does the Chromium report say 'Low' severity but the CVSS score is 'HIGH'?
Chromium severity ratings reflect the browser team's internal risk assessment and may prioritize implementation complexity or real-world exploit feasibility. CVSS 3.1 (HIGH, 7.5) is a standardized metric that reflects the confidentiality impact and ease of exploitation once the renderer is compromised. Both assessments are valid; CVSS is often the metric used for organizational risk ranking, while Chromium severity informs the browser team's patch schedule. In this case, the HIGH CVSS rating is appropriate for security teams managing enterprise risk.
If I haven't updated to Chrome 149.0.7827.53 yet, can I reduce my risk?
Patching is the only reliable mitigation. You can reduce exposure by limiting the number of sensitive web services you access from Chrome while running an older version, but this is not practical for most users. If your organization has a delayed patching schedule, consider an expedited rollout for this vulnerability. Browser sandboxing and isolation technologies in Chrome limit (but do not eliminate) renderer compromise risk; keep your operating system and other software patched as well.
What operating systems are affected?
The vulnerability exists in Chrome's browser engine, so it affects Chrome on Windows, macOS, and Linux. Patch Chrome on all operating systems. The vendor list (Apple macOS, Linux, Microsoft Windows) reflects the platforms where Chrome runs; there is no platform-specific variant of this bug.
This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should independently verify all patch versions and compatibility with their environment. CVSS scores, CVE descriptions, and vendor advisory details are subject to updates by NIST, the CNA, and Google; refer to the official CVE record and vendor security advisories for authoritative information. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence relative to zero-day or in-the-wild exploitation. Security teams should conduct their own risk assessment and prioritization based on their asset inventory, threat model, and patch management policy. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10922HIGHChrome DevTools Same-Origin Policy Bypass (CVSS 8.8)
- CVE-2026-10969HIGHChrome Extension Privilege Escalation Vulnerability – Patch Guidance
- CVE-2026-10970HIGHChrome Sandbox Escape via InterestGroups Input Validation Flaw
- CVE-2026-11046HIGHChrome Media Sandbox Escape – Patch Now to Version 149.0.7827.53