MEDIUM 6.5

CVE-2026-11289: Chrome Paint Side-Channel Information Disclosure Vulnerability

A side-channel vulnerability in Google Chrome's Paint component allows attackers to leak sensitive cross-origin data through a specially crafted web page. An attacker would need to trick a user into visiting a malicious website, but once there, the vulnerability could expose information from other websites the user has open—a serious privacy breach. The issue affects Chrome versions before 149.0.7827.53 across Windows, macOS, and Linux.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-1300, CWE-203
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11289 is a side-channel information disclosure vulnerability in the Paint subsystem of Chromium-based browsers. The vulnerability exploits timing or observable rendering behavior differences to infer cross-origin sensitive data, classified under CWE-1300 (Improper Neutralization of Timing Side-Channels) and CWE-203 (Observable Discrepancy). An unauthenticated remote attacker can trigger this via a crafted HTML payload without elevated privileges, requiring only user interaction (visiting the malicious page). The Chromium security team rated the underlying issue as Low severity, though the CVSS 3.1 score of 6.5 (MEDIUM) reflects the high confidentiality impact despite the low attack complexity and straightforward exploitation path.

Business impact

This vulnerability poses a direct confidentiality risk to users' browsing data. If exploited at scale, attackers could harvest credentials, session tokens, or personal information from active sessions in other browser tabs. For organizations, this affects employee browsers and could enable targeted phishing or credential theft. The attack requires no network-level privileges, making it a viable vector for compromised ad networks or watering-hole campaigns. Enterprises relying on Chrome as their primary browser should prioritize patching to maintain user privacy and prevent data exfiltration.

Affected systems

Google Chrome prior to version 149.0.7827.53 is the primary vulnerable component. The vulnerability affects Chrome on all major platforms: Microsoft Windows, Apple macOS, and Linux distributions. Any system running an unpatched version of Chrome in this range is at risk. Chromium-based browsers derived from vulnerable versions may also be affected—verify with your organization's browser vendor if using Edge, Brave, Opera, or other Chromium forks.

Exploitability

The attack has low barrier to entry: no authentication required, network-accessible, and user interaction is the only prerequisite (convincing the user to visit a malicious site). The side-channel technique is subtle and does not cause visible crashes or warnings, making detection difficult for end users. No public exploit code is known to be in active circulation, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog. However, the simplicity of delivery via web pages means exploitation could scale rapidly once proof-of-concept code emerges.

Remediation

Immediately update Google Chrome to version 149.0.7827.53 or later. Chrome updates are typically automatic, but verify completion via Chrome Settings > About Chrome. For enterprise environments, use browser management policies to enforce auto-update and restrict Chrome versions. If using Chromium derivatives, check vendor advisories for patched versions. No workarounds exist; patching is the only mitigation.

Patch guidance

Update Chrome via the built-in updater (Settings > About Chrome > Check for updates), which will restart the browser and apply the patch automatically. Enterprise administrators should deploy Chrome version 149.0.7827.53 or newer using group policy (Windows) or Mobile Device Management (macOS/Linux). Verify deployment by checking chrome://version in the address bar to confirm the running version. For critical environments, consider staggered rollout to validate stability before full deployment, though this patch addresses only confidentiality and carries minimal stability risk.

Detection guidance

Monitor browser version compliance using endpoint detection and response (EDR) tools or mobile device management (MDM) solutions to ensure all Chrome instances are at 149.0.7827.53 or higher. Web application firewalls cannot reliably detect exploitation since the attack occurs client-side in the browser's rendering engine. For forensic investigation, check Chrome's update logs (chrome://system > chrome_updater section on Windows) to confirm patch deployment dates. Watch for anomalous cross-origin data access patterns if correlation is possible; however, the side-channel nature makes real-time detection challenging without specialized instrumentation.

Why prioritize this

Prioritize this patch for your standard Chrome deployment cycle. While rated MEDIUM on CVSS and not yet in active exploitation, the attack surface (any web page a user visits) and the privacy impact (cross-origin data disclosure) justify rapid deployment. The attack does not require network compromise or advanced techniques, making it a likely candidate for future exploit kits once proof-of-concept emerges. Deploy alongside other Chrome security patches in your regular cadence, targeting completion within 30 days.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a MEDIUM severity driven by high confidentiality impact (user data exposure) but no integrity or availability damage. Attack Vector Network and Attack Complexity Low indicate ease of delivery, while User Interaction Required and Scope Unchanged temper the score. Chromium's own Low severity rating acknowledges that practical exploitation requires specific timing conditions and victim cooperation; the higher CVSS reflects a broader assessment of the information disclosure risk. Organizations handling sensitive user data should weight the confidentiality impact above the base score alone.

Frequently asked questions

Can this vulnerability be exploited without the user clicking anything?

No. While the attacker creates the malicious page, the user must actively visit it (or be redirected to it). Once there, exploitation happens silently in the background via the Paint component's rendering behavior. Users cannot easily detect an active attack.

Does this affect Chrome on mobile devices?

Yes, Chrome on Android and iOS derivatives are potentially affected if they run vulnerable Chromium versions. Verify your mobile browser version in Settings > About [Browser] and update accordingly. Mobile management tools should enforce automatic updates.

If I update Chrome, are old sessions at risk?

The vulnerability leaks data that is actively loaded in browser memory at the time of the attack. Updating Chrome closes all open tabs and sessions, so patching immediately stops future attacks. Past exposures cannot be reversed, but current accounts should be considered at risk if the user visited untrusted sites before patching.

Why is Chromium severity rated Low but CVSS is Medium?

Chromium's Low rating reflects the narrow technical nature of the side-channel (specific timing observable in Paint). CVSS's Medium score accounts for the broader risk: any web page can trigger it, and the confidentiality loss (cross-origin data) is high. Both ratings are correct in their context; CVSS is more conservative for enterprise risk decisions.

This analysis is based on publicly available vulnerability data as of June 2026. Patch version numbers and affected product versions are sourced from official vendor advisories and the CVE record; verify against Google Chrome's security advisories before deployment. Side-channel vulnerabilities are inherently difficult to detect and exploit reliably—actual impact may vary by system configuration, browser extensions, and user behavior. This document does not constitute legal or compliance advice. Organizations should incorporate this intelligence into their patch management and risk assessment processes according to their own policies and regulatory requirements. No exploit code is provided, and responsible disclosure practices remain in effect. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).