CVE-2026-11292: Chrome CSP Bypass in Blink Rendering Engine – CVSS 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in the Blink rendering engine that allows attackers to bypass Content Security Policy (CSP) protections through a specially crafted webpage. An attacker would need to trick a user into visiting a malicious site, where the weakness could enable injection of unintended content or scripts that CSP was supposed to prevent. While Chromium rates this as low severity, the CVSS score reflects moderate impact potential because CSP bypass can lead to unauthorized modifications of page behavior.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-693
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Insufficient policy enforcement in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient policy enforcement in Blink's Content Security Policy implementation (CWE-693: Improper Neutralization of Equivalent Keywords in Access Control Lists). An attacker crafting a specially designed HTML page can circumvent CSP headers that normally restrict script execution, resource loading, and other dangerous behaviors. The flaw requires user interaction—the victim must visit the attacker's crafted page—and does not affect system confidentiality or availability, only the integrity of the security boundary that CSP establishes. The rendering engine fails to properly validate or enforce CSP directives under specific conditions that the attacker can manipulate.
Business impact
This vulnerability degrades the effectiveness of a critical web security control. For organizations relying on CSP to mitigate XSS and injection attacks on internal web applications or customer-facing properties, a successful exploit could allow attackers to inject malicious scripts or content that bypasses those defenses. The practical impact depends on what resources CSP was intended to protect; however, since exploitation requires the user to actively visit a malicious page, the attack surface is limited to scenarios where social engineering or phishing succeeds. Organizations with strict CSP policies intended to prevent script injection will find those policies circumvented on vulnerable Chrome versions.
Affected systems
The vulnerability affects Google Chrome prior to version 149.0.7827.53. As Blink is Chrome's rendering engine, the flaw is inherent to Chrome itself. While vendors_products lists macOS, Windows, and Linux, these are the operating systems on which vulnerable Chrome installations run; the vulnerability is not in the OS kernels themselves but in the Chrome browser. Any user or system running Chrome before 149.0.7827.53 is at risk if they visit a crafted webpage.
Exploitability
Exploitability is moderate. The attack requires user interaction—the victim must visit a webpage controlled or influenced by the attacker—making it unsuitable for mass exploitation but practical for targeted attacks or watering-hole scenarios. An attacker does not need special privileges or system access; they only need to craft a malicious HTML page and convince or trick a user to visit it. The technical barrier to crafting the exploit is low to moderate, depending on the specific CSP bypass technique. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the data snapshot, suggesting no in-the-wild exploitation has been widely reported, though that status can change.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome typically updates automatically, but users should verify their version (menu > Help > About Google Chrome) to confirm they are current. Organizations managing Chrome through Group Policy or device management solutions should deploy the patch through those mechanisms. No workaround exists for the underlying flaw; patching is the only mitigation. Users should also be reminded of security best practices: avoid clicking links from untrusted sources, and review CSP headers on their web applications to ensure they are configured correctly.
Patch guidance
Google Chrome version 149.0.7827.53 and later contain the fix. Most Chrome users will receive the update automatically, typically within days of release. Verify successful patching by navigating to chrome://version or the About Chrome page in the browser. Enterprise deployments can validate patch deployment through their mobile device management (MDM) or browser management tools. If you maintain web applications that rely on CSP for security, test CSP policies in the patched version to ensure they function as intended and do not rely on any workarounds for this bug. There is no indication that the patch introduces breaking changes for standard CSP configurations.
Detection guidance
At the endpoint level, monitor Chrome version compliance to ensure systems are not running versions prior to 149.0.7827.53. Browser telemetry or device inventory tools can enumerate Chrome versions across your fleet. At the web application level, if you serve content that depends on CSP enforcement, review access logs and security events for anomalous script execution or unexpected content injection following the vulnerability publication date (June 5, 2026) and before patch deployment in your environment. Test your CSP policies in both vulnerable and patched versions to confirm whether your configuration was affected by this bypass. Network-level detection is difficult because the attack is invisible to the network—it depends on the browser's parsing of CSP headers, which occurs client-side.
Why prioritize this
This vulnerability merits prompt but not emergency patching. The CVSS score of 4.3 (MEDIUM) reflects the integrity impact and ease of attack, but the requirement for user interaction limits the blast radius. Prioritize patching for systems that: (1) handle sensitive web applications where CSP is a critical defense layer, (2) are exposed to users who may be social-engineered into visiting malicious sites, or (3) are used by high-value targets (e.g., security researchers, journalists). Standard enterprise users browsing the general web should still be patched promptly via normal update cycles, but this is not a 'drop everything' emergency patch like a zero-day RCE would be.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) is derived from: Network attack vector (attacker can exploit remotely), Low attack complexity (no special conditions required), No privileges required, User interaction required (victim must visit the malicious page), Unchanged scope (no privilege escalation outside the browser sandbox), No confidentiality impact, Low integrity impact (CSP bypass allows unintended modifications), and No availability impact. The score reflects that while the attack is easy to mount and does not require victims to have special credentials, it is constrained by the need for user action and limited to compromising the integrity of CSP protections rather than stealing data or crashing systems. Chromium's internal severity rating of 'Low' differs from the CVSS 'MEDIUM' because CVSS factors in the attack surface (unauthenticated network access) while Chromium's rating may weigh the specific harm narrower.
Frequently asked questions
Will Chrome auto-update fix this automatically?
Yes, Chrome includes automatic updates for most users. Within days of the fix release (version 149.0.7827.53 and later), Chrome will download and install the patch, typically prompting a restart. Users can accelerate the process by manually checking for updates in Settings > About Google Chrome. Enterprise environments with auto-update disabled should deploy the patch manually via their management platform.
Can I detect if I was exploited by this vulnerability?
Detection is difficult after the fact because the exploit occurs in the browser during page rendering and does not leave obvious artifacts. If you suspect a site exploited this flaw, look for unexpected inline scripts, stylesheets, or network requests in your browser's DevTools (F12 > Network and Console tabs). At the organizational level, if you maintain web applications, monitor for anomalous content injection in your logs or security event streams starting around the vulnerability publication date. After patching, re-test your CSP policies to confirm they are working as designed.
Does this affect Chrome on Android or iOS?
Yes, Blink powers Chrome on Android. Chromebook and Android Chrome users should ensure they are on version 149.0.7827.53 or later through their device's app store or system updates. iOS Chrome uses Apple's WebKit engine, not Blink, so it is not affected by this specific Blink vulnerability.
What should web developers do about this?
Verify that your Content Security Policy is correctly configured and test it in both pre-patch (149.0.7827.52 and earlier) and post-patch Chrome versions to understand whether this bypass affected your protection model. Do not add workarounds to your CSP; instead, patch your users' browsers. Review your CSP rules for unintended overly-permissive directives (e.g., script-src 'unsafe-inline') which could amplify the impact of any CSP bypass.
This analysis is provided for informational purposes to support security decision-making. While we have endeavored to be accurate, SEC.co does not guarantee the completeness or timeliness of vulnerability intelligence. Always refer to official vendor advisories (Google Chrome Security Release) for definitive patch details and affected versions. Exploit availability and real-world attack prevalence can change; monitor CISA's KEV catalog and threat intelligence feeds for updates. Test patches in a non-production environment before broad deployment. The CVSS score and other technical metadata reflect the published CVE record; your environment's actual risk may differ based on your Chrome deployment, CSP configuration, and user exposure. Legal and compliance requirements may impose stricter timelines than CVSS alone suggests. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11174MEDIUMChrome Site Isolation Bypass – CVSS 5.3 Medium Vulnerability
- CVE-2026-11206MEDIUMChrome Service Worker Data Leak Vulnerability – CVSS 6.5
- CVE-2026-11219MEDIUMGoogle Chrome Navigation Bypass Vulnerability – Patching Guide
- CVE-2026-11234MEDIUMChrome FoldableAPIs Site Isolation Bypass (149.0.7827.53)
- CVE-2026-11260MEDIUMGoogle Chrome CSP Bypass in Permissions Handling
- CVE-2026-11264MEDIUMContent Security Policy Bypass in Chrome – Patch to 149.0.7827.53
- CVE-2026-11266MEDIUMChrome Safe Browsing Bypass Vulnerability — Patch v149.0.7827.53
- CVE-2026-11288MEDIUMCross-Origin Data Leak via CSS in Chrome – Patch Guidance