MEDIUM 6.5

CVE-2026-11284: Chrome Performance API Side-Channel Information Disclosure (CVSS 6.5)

Google Chrome versions prior to 149.0.7827.53 contain a side-channel vulnerability in the Performance APIs that allows an attacker to extract sensitive data across website boundaries. An attacker can craft a malicious webpage that, when visited by a user, leaks information from other websites the user is viewing or has visited. This works because certain performance measurement features can infer timing details that reveal cross-origin data, even though browsers are designed to isolate websites from each other.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-1300, CWE-203
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11284 is a side-channel information disclosure vulnerability affecting Chrome's Performance APIs prior to version 149.0.7827.53. The vulnerability stems from insufficient isolation of timing-related data that can be exploited to infer sensitive information across origin boundaries. The attack requires user interaction (visiting a malicious page) but no special privileges. The vulnerability exploits weaknesses in the timing-based isolation mechanisms that browsers use to prevent cross-origin data leakage, allowing a network-accessible attacker to construct requests and measure performance characteristics in ways that reveal private data. It maps to CWE-1300 (Improper Neutralization of Irrelevant Data Elements in Input During Processing) and CWE-203 (Observable Discrepancy), reflecting both the side-channel nature and the information disclosure aspect.

Business impact

This vulnerability primarily threatens user privacy by enabling attackers to infer what other websites users are accessing or what data those sites contain. For organizations, the risk manifests in two ways: (1) employees whose browsing is monitored via malicious sites may have their internal site visits or sensitive document access inferred, and (2) web applications that rely on Performance APIs for analytics or monitoring could be instrumented by attackers to leak cross-origin behavior. The practical impact depends on whether sensitive timing patterns in an organization's web services correlate with confidential operations. Given the required user interaction and the need to craft specific HTML payloads, mass exploitation is less likely than targeted campaigns against high-value targets.

Affected systems

Google Chrome prior to version 149.0.7827.53 is the primary affected component. The vulnerability also affects Chrome on macOS, Linux, and Windows platforms, since the underlying Performance APIs flaw is cross-platform. Organizations running any older build of Chromium-based browsers derived from the affected Chrome codebase may also be exposed, though the immediate remediation focus is on Chrome updates.

Exploitability

Exploitation requires user interaction (the user must visit a malicious website) and network access, but does not require special privileges or authentication. An attacker can host a crafted HTML page that, upon visitor access, silently performs timing measurements against cross-origin targets to infer private data. The attack is probabilistic rather than deterministic, requiring careful measurement and statistical analysis, which raises the bar somewhat but does not prevent targeted attacks. The Chromium project assessed this as 'Low' severity in their internal review, likely because the attack surface and information leakage are constrained, though the CVSS score of 6.5 (MEDIUM) reflects the real-world privacy impact.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. This version includes fixes to the Performance APIs to prevent timing-based side-channel inference across origins. Users should enable automatic updates to receive patches automatically. For organizations managing Chrome deployments, verify that Chrome update policies are configured to push the patched version promptly.

Patch guidance

Apply Chrome version 149.0.7827.53 or later across all endpoints. Chrome's auto-update mechanism typically delivers patches within days of release. Administrators using Chrome Enterprise should verify that the managed Chrome policy is set to allow automatic updates or manually push the patched version through their deployment infrastructure. Verify compatibility with any internal web applications that may depend on Performance APIs before broad rollout, although this fix should not break legitimate uses of the API.

Detection guidance

Detection is challenging because the attack relies on timing measurements that are inherently part of legitimate browser functionality. However, security teams can look for: (1) patterns of repeated, rapid cross-origin timing probes from a single source IP or ASN targeting multiple internal or sensitive domains; (2) unusual performance API calls from iframes or third-party scripts on untrusted pages; (3) behavioral indicators such as users visiting known malicious sites followed by unusual internal traffic patterns. Network-layer detection of the attack itself is unlikely, but monitoring user browsing behavior for visits to suspicious pages combined with subsequent data access anomalies can help identify compromise.

Why prioritize this

Prioritize this vulnerability for patching because it enables privacy breach of employees and potentially sensitive internal systems through a user-interaction vector that is difficult to prevent solely through network controls. However, it is not critical because exploitation requires both crafted content and statistical inference, making it less suitable for mass exploitation or worm propagation. Organizations handling highly sensitive information or in regulated industries (finance, healthcare, government) should patch within days. Standard enterprises can roll out patches on a normal weekly cadence.

Risk score, explained

The CVSS 6.5 (MEDIUM) score reflects high confidentiality impact (users can leak cross-origin data), but zero integrity and availability impact. The attack requires network access and user interaction but no privileges. The score appropriately penalizes the real-world privacy risk while acknowledging that the attack is neither trivial nor network-only. The absence from the KEV catalog indicates that, at publication time, there is no evidence of active exploitation in the wild, which is consistent with the technical complexity of performing reliable side-channel measurement.

Frequently asked questions

Can this vulnerability be exploited without the user visiting a malicious website?

No. The attack requires the user to navigate to a page controlled by the attacker. It cannot be exploited through network interception, cross-site request forgery, or other passive means. This makes phishing or social engineering a prerequisite for targeted attacks.

Does this affect other Chromium-based browsers like Edge, Brave, or Opera?

Yes, other Chromium-based browsers that use the affected Performance APIs code may be vulnerable until their vendors release and deploy patched Chromium. However, the CVE and patch are specific to Google Chrome. Check your browser vendor's security advisory for equivalent patches.

What data can realistically be leaked through this vulnerability?

The attacker can infer timing patterns that correlate with the presence or absence of content, the size of data being transmitted, or the computational cost of processing on a remote server. This can reveal which pages a user visits, whether a user is logged into a service, or whether a particular API endpoint is busy, but it does not directly exfiltrate passwords or encryption keys.

If we disable the Performance APIs, are we safe?

Disabling Performance APIs entirely would prevent exploitation, but would break legitimate performance monitoring and analytics features in modern web applications. The recommended approach is to update Chrome to the patched version rather than disable the API wholesale.

This vulnerability intelligence is provided for educational and security planning purposes. The information herein is based on the CVE record published on 2026-06-05 and modified on 2026-06-17. SEC.co does not provide security consulting or legal advice. Organizations should verify patch applicability, test updates in non-production environments, and consult their vendor's official security advisories before deploying patches. The absence of a CVE from the KEV catalog does not guarantee absence of active exploitation; threat actors may exploit vulnerabilities before public disclosure or KEV listing. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).